[users@httpd] SSL termination on apache but client certificate routed through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello List,
 
I still have this question coming up: I have an apache configured as a reverse proxy. Behind that proxy there is an application server. A client is to connect to the apache via SSL and it needs to authenticate to the internal application server with it's client certificate. IS THIS AT ALL POSSIBLE?
 
 
                  |                    |
                  |                    |
   +--------+     |     +--------+     |   +--------+
   | client |-----|---->| apache |-----|-->| appsrv |
   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
   +--------+     |     +--------+     |   +--------+
                  |                    |
   initiates      |     encrypts       |   client logon
   connection    FW1    with cert-2   FW2  with cert-1
                             


As can be seen in the crude picture above: The client initiates the SSL connection to the apache.


The apache's cert-2 is used for encryption and the client is prepared to authenticate itself using 


his client cert-1. At the moment the apache is NOT configured to validate the clients certificate, but ignores it - This is because the apache has no knowledge of the application that wants the authentication in the backend server. 


After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the application server. This connection is encrypted with the appsrv's cert-3. Now the application server want's the client to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in the application and the client cert-1 is lost due to the apache terminating the SSL connection.


 


Now again my question: Can I configure the apache to forward the client cert-1 to the backend application server? Is there a module that I can use for this? I'm not sure at the moment if such a module could work at all.


 


As far as I understand SSL, it needs a direct connection between the two communication partners, but on the other hand a reverse proxy is a common tool to improve the security of a server on the internet, so maybe there is some way to achieve this and I'm just mssing the point.


 


Please, can anyone help me with this?


 


Kind regards,


 


   Christian


 


Christian Günther 


SAP NetWeaver Technical Consultant 


 


REALTECH










REALTECH system consulting GmbH 


Industriestraße 39c 


69190 Walldorf Germany 


 


Tel.: +49 6227 837 267 




Fax: +49 6227 837 837 


Mobile: +49 173 302 2153



 


 


















[Index of Archives]
 
 
[Open SSH Users]
 
 
[Linux ACPI]
 
 
[Linux Kernel]
 
 
[Linux Laptop]
 
 
[Kernel Newbies]
 
 
[Security]
 
 
[Netfilter]
 
 
[Bugtraq]
 
 
[Squid]
 
 
[Yosemite News]
 
 
[MIPS Linux]
 
 
[ARM Linux]
 
 
[Linux Security]
 
 
[Linux RAID]
 
 
[Samba]
 
 
[Video 4 Linux]
 
 
[Device Mapper]


















 
Powered by Linux