Re: [users@httpd] SSL reverse proxy question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

You are not mistaken....the three CA certificates would match the three
servers name...where is the problem ?
Do you have any other idea ?

Andrea



----- Original Message ----- 
From: "David Lang" <dlang@xxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Friday, April 22, 2005 3:03 PM
Subject: Re: [users@httpd] SSL reverse proxy question


> I didn't think you could use name-based virtual hosts with SSL since the
> server cert needs to match the hostname requested and the server won't see
> the request until after the SSL session is established (at least with
> SSL2/3)
>
> am I mistaken?
>
> David Lang
>
>
> On Fri, 22 Apr 2005, Niccolo' Manfrini wrote:
>
> > Andrea Palmieri wrote:
> >
> >> I'am using Apache as a reverse proxy to hide several backend servers
which
> >> host several application
> >>  https://myapache/name1/application_a
> >> <https://myapache/name1/application_a> ->
http://ipserver1/application_a
> >> <http://ipserver1/application_a>
> >> https://myapache/name1/application_b
<https://myapache/name1/application_b>
> >> -> http://ipserver1/application_b <http://ipserver1/application_b>
> >> https://myapache/name2/application_c
<https://myapache/name2/application_c>
> >> -> http://ipserver2/application_c <http://ipserver2/application_c>
> >>   I'am using SSL client authentication with x509 certificates to
> >> authenticate users.
> >>  I was wondering if I can use different CA certificate files (one for
each
> >> back-end server) to authenticate users' client certificates.
> >> example users accessing application_a are authenticated using CertCA1
> >> users accessing application_b are authenticated using CertCA1
> >> users accessing application_c are authenticated using CertCA2
> >>  The  SSLCACertificateFile directive is used to set CA certificate
files,
> >> but it can't be used within a <Location> context !
> >>  Any suggestion or idea is really appreciated
> >> Andrea
> >
> > Maybe you can add to your dns service configuration three CNAME values
that
> > point to your reverse proxy server name. For example:
> >
> > application_a.mydomain.com, application_b.mydomain.com,
> > application_c.mydomain.com
> > should resolve to: reverse_proxy.mydomain.com
> >
> > Then in append in your reverse proxy httpd.conf  three VirtualHosts
> > definitions:
> >
> > <VirtualHost *:443>
> > ServerName application_a.mydomain.com
> > SSLEngine on
> > SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
> > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> > ProxyPass / http://myinternal_server/application_a/
> > ProxyPassReverse / http://myinternal_server/application_a/
> > </VirtualHost>
> >
> > <VirtualHost *:443>
> > ServerName application_b.mydomain.com
> > SSLEngine on
> > SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
> > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> > ProxyPass / http://myinternal_server/application_b/
> > ProxyPassReverse / http://myinternal_server/application_b/
> > </VirtualHost>
> >
> > <VirtualHost *:443>
> > ServerName application_c.mydomain.com
> > SSLEngine on
> > SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
> > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> > ProxyPass / http://myinternal_server/application_c/
> > ProxyPassReverse / http://myinternal_server/application_c/
> > </VirtualHost>
> >
> >
> > ------------------------------------------
> > Niccolo' Manfrini
> > Protechta - Information Security
> > Tel. +39 0521 2021
> > Fax. +39 0521 207461
> > http://www.protechta.it/
> >
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux