Quoting "Guenther, Christian" <Christian.Guenther@xxxxxxxxxxxx>: > Hello List, > > I still have this question coming up: I have an apache configured as > a reverse proxy. Behind that proxy there is an application server. A > client is to connect to the apache via SSL and it needs to > authenticate to the internal application server with it's client > certificate. IS THIS AT ALL POSSIBLE? yes, we have that. > > > | | > | | > +--------+ | +--------+ | +--------+ > | client |-----|---->| apache |-----|-->| appsrv | > | cert-1 | SSL | | cert-2 | SSL | | cert-3 | > +--------+ | +--------+ | +--------+ > | | > initiates | encrypts | client logon > connection FW1 with cert-2 FW2 with cert-1 > > > As can be seen in the crude picture above: The client initiates the > SSL connection to the apache. > The apache's cert-2 is used for encryption and the client is prepared > to authenticate itself using > his client cert-1. At the moment the apache is NOT configured to > validate the clients certificate, but ignores it - This is because > the apache has no knowledge of the application that wants the > authentication in the backend server. > After the SSL connection between client and apache is established, > the apache initiates a new SSL connection to the application server. > This connection is encrypted with the appsrv's cert-3. Now the > application server want's the client to authenticate itself using > client certificate instead of with a normal username/password pair. > This, of course, fails at the moment, because the certificate of the > apache has no rights in the application and the client cert-1 is lost > due to the apache terminating the SSL connection. > > Now again my question: Can I configure the apache to forward the > client cert-1 to the backend application server? Is there a module > that I can use for this? I'm not sure at the moment if such a module > could work at all. yes, mod_rewrite can do this. this is some old stuff, but you might get the idea: # internal function RewriteMap canonicalize int:escape # client cert check RewriteCond %{SSL:SSL_CLIENT_CERT} \ /^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ [NC] # ok we had a client cert so first put in an env variale RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}] # then use that env variable to forward it t the aopp server via a custom # requestheader RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT with this you should have the backend code on the appserver pull out the requestheader value and authenticate via that ./allan