Re: [users@httpd] SSL termination on apache but client certificate routed through

[isha b <ishaa.b@xxxxxxxxx>]

Christain ,

 

Apache modules , mod_proxy_http and mod_proxy_html will help to so solve your problem ,

Compile and Include these module under your httd.conf as

 

# Example:

# LoadModule foo_module modules/mod_foo.so

LoadModule headers_module modules/mod_headers.so

LoadModule proxy_module modules/mod_proxy.so

LoadFile /usr/lib/libxml2.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_html_module modules/mod_proxy_html.so

Next ,

Under <If_Module > put the entries above you ProxyPass entries

 

<IfModule mod_proxy.c>

RequestHeader set Front-End-Https "On"

ProxyRequests Off

ProxyPreserveHost On

ProxyHTMLLogVerbose On

LogLevel Info

ProxyHTMLExtended On

ProxyHTMLURLMap from-pattern to-pattern flags

AllowCONNECT 443

 

Restart Apache and see the result !!!

 

My servers with back to back SSL are working fine with this configuration !

 

 

 

 

Regards,

Isha B

PL -Technical Support Group

Syntel Ltd

 

 

On 9/14/05, Guenther, Christian <Christian.Guenther@xxxxxxxxxxxx> wrote:

Hello List,

 

I still have this question coming up: I have an apache configured as a reverse proxy. Behind that proxy there is an application server. A client is to connect to the apache via SSL and it needs to authenticate to the internal application server with it's client certificate. IS THIS AT ALL POSSIBLE?

 

 

                  |                    |

                  |                    |

   +--------+     |     +--------+     |   +--------+

   | client |-----|---->| apache |----- |-->| appsrv |

   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |

   +--------+     |     +--------+     |   +--------+

                  |                    |

   initiates      |     encrypts       |   client logon

   connection    FW1    with cert-2   FW2  with cert-1

                            

As can be seen in the crude picture above: The client initiates the SSL connection to the apache.

The apache's cert-2 is used for encryption and the client is prepared to authenticate itself using

his client cert-1. At the moment the apache is NOT configured to validate the clients certificate, but ignores it - This is because the apache has no knowledge of the application that wants the authentication in the backend server.

After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the application server. This connection is encrypted with the appsrv's cert-3. Now the application server want's the client to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in the application and the client cert-1 is lost due to the apache terminating the SSL connection.

 

Now again my question: Can I configure the apache to forward the client cert-1 to the backend application server? Is there a module that I can use for this? I'm not sure at the moment if such a module could work at all.

 

As far as I understand SSL, it needs a direct connection between the two communication partners, but on the other hand a reverse proxy is a common tool to improve the security of a server on the internet, so maybe there is some way to achieve this and I'm just mssing the point.

 

Please, can anyone help me with this?

 

Kind regards,

 

   Christian

 

Christian Günther

SAP NetWeaver Technical Consultant

 

REALTECH

REALTECH system consulting GmbH

Industriestraße 39c

69190 Walldorf Germany

 

Tel.: +49 6227 837 267

Fax: +49 6227 837 837

Mobile: +49 173 302 2153

mailto: christian.guenther@xxxxxxxxxxxx