Re: [users@httpd] SSL reverse proxy question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 22 Apr 2005, Andrea Palmieri wrote:


Date: Fri, 22 Apr 2005 14:40:56 +0200
From: Andrea Palmieri <palmieri@xxxxxx>
Reply-To: users@xxxxxxxxxxxxxxxx
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] SSL reverse proxy question

You are not mistaken....the three CA certificates would match the three
servers name...where is the problem ?
the problem is that the client connects to the IP address and then the server needs to hand out the cert, at that point it doesn't know which name is being used so it doesn't know which cert to hand out. 


Do you have any other idea ?
no, but I thought the question was about handleing client certs, not server certs anyway. 

David Lang


Andrea



----- Original Message -----
From: "David Lang" <dlang@xxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Friday, April 22, 2005 3:03 PM
Subject: Re: [users@httpd] SSL reverse proxy question



I didn't think you could use name-based virtual hosts with SSL since the
server cert needs to match the hostname requested and the server won't see
the request until after the SSL session is established (at least with
SSL2/3)

am I mistaken?

David Lang


On Fri, 22 Apr 2005, Niccolo' Manfrini wrote:


Andrea Palmieri wrote:


I'am using Apache as a reverse proxy to hide several backend servers

which

host several application
 https://myapache/name1/application_a
<https://myapache/name1/application_a> ->

http://ipserver1/application_a

<http://ipserver1/application_a>
https://myapache/name1/application_b

<https://myapache/name1/application_b>

-> http://ipserver1/application_b <http://ipserver1/application_b>
https://myapache/name2/application_c

<https://myapache/name2/application_c>

-> http://ipserver2/application_c <http://ipserver2/application_c>
  I'am using SSL client authentication with x509 certificates to
authenticate users.
 I was wondering if I can use different CA certificate files (one for

each

back-end server) to authenticate users' client certificates.
example users accessing application_a are authenticated using CertCA1
users accessing application_b are authenticated using CertCA1
users accessing application_c are authenticated using CertCA2
 The  SSLCACertificateFile directive is used to set CA certificate

files,

but it can't be used within a <Location> context !
 Any suggestion or idea is really appreciated
Andrea


Maybe you can add to your dns service configuration three CNAME values

that

point to your reverse proxy server name. For example:

application_a.mydomain.com, application_b.mydomain.com,
application_c.mydomain.com
should resolve to: reverse_proxy.mydomain.com

Then in append in your reverse proxy httpd.conf  three VirtualHosts
definitions:

<VirtualHost *:443>
ServerName application_a.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_a/
ProxyPassReverse / http://myinternal_server/application_a/
</VirtualHost>

<VirtualHost *:443>
ServerName application_b.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_b/
ProxyPassReverse / http://myinternal_server/application_b/
</VirtualHost>

<VirtualHost *:443>
ServerName application_c.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_c/
ProxyPassReverse / http://myinternal_server/application_c/
</VirtualHost>


------------------------------------------
Niccolo' Manfrini
Protechta - Information Security
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/







---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux