Re: [users@httpd] SSL termination on apache but client certificate routed through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting "Guenther, Christian" <Christian.Guenther@xxxxxxxxxxxx>:


Hello List,
I still have this question coming up: I have an apache configured as a reverse proxy. Behind that proxy there is an application server. A client is to connect to the apache via SSL and it needs to authenticate to the internal application server with it's client certificate. IS THIS AT ALL POSSIBLE? 

yes, we have that.




                 |                    |
                 |                    |
  +--------+     |     +--------+     |   +--------+
  | client |-----|---->| apache |-----|-->| appsrv |
  | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
  +--------+     |     +--------+     |   +--------+
                 |                    |
  initiates      |     encrypts       |   client logon
  connection    FW1    with cert-2   FW2  with cert-1
As can be seen in the crude picture above: The client initiates the SSL connection to the apache. The apache's cert-2 is used for encryption and the client is prepared to authenticate itself using his client cert-1. At the moment the apache is NOT configured to validate the clients certificate, but ignores it - This is because the apache has no knowledge of the application that wants the authentication in the backend server. After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the application server. This connection is encrypted with the appsrv's cert-3. Now the application server want's the client to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in the application and the client cert-1 is lost due to the apache terminating the SSL connection.
Now again my question: Can I configure the apache to forward the client cert-1 to the backend application server? Is there a module that I can use for this? I'm not sure at the moment if such a module could work at all. 

yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:

# internal function
RewriteMap  canonicalize int:escape

# client cert check
RewriteCond  %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ [NC] # ok we had a client cert so first put in an env variale 
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]
# then use that env variable to forward it t the aopp server via a custom # requestheader 
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT
with this you should have the backend code on the appserver pull out the requestheader value and authenticate via that 


./allan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux