Apache Proxy, Client Certificate, HTTPS, etc. questions? I just read this... Proxy SSL and Client Certificates http://marc.theaimsgroup.com/?l=apache-httpd-users&m=115930874503040&w=2 and want to I make sure I fully understand it and have questions at the end of this email. Background... In our development environment we have a JBoss server that runs a web based application... - the web based application only communicates over HTTPS - the web based application requires the web browser client to send it's client certificate to JBoss - the web browser client PC and the JBoss physical server machine both reside on the same network with nothing between them - JBoss performs authentication and authorization based on content in the sent client certificate from the web browser client PC The above setup works like a champ in our development environment. My problem... We have been tasked to setup our Jboss server web based application in a production environment like so... - The Jboss server will reside on physical server A - The web browser client PC will NOT be on the same network as physical server A - there are multiple firewalls between web browser client PC and the Jboss server that resides on physical server A - there is however one physical box, lets call it physical server B, that... - the web browser client PCs CAN see and connect to - the Jboss server physical server A CAN also see and connect to - this physical box B is literally a server box that currently has certain ports open and tomcat and apache running on it serving out content to web browser client PCs. - We are NOT allowed to put our Jboss server on it currently for multiple reasons, long story - we MUST run our Jboss web based application on physical server A behind physical server B. So we are currently looking for ways to bridge the gap between the our Jboss web based application on physical server A and the web browser client PCs so that we can perform both... - HTTPS - client certicate A&A I am currently looking at Apache 2.2.3 and its proxy support to bridge the gap. Almost everything I have read tells me that... - I CAN do the HTTPS portion - but that I can NOT do the client certificate A&A portion Can you please confirm the above two assumptions and give some input as why and why not. I need to bring the info to my management and formally document it. If Apache with proxy support can not do it, do you know of any piece of "software" that could do it? I assume iptables or ipfilter could do it, BUT we would be hard pressed to be allowed to install anything like that on there that requires root. Basically I *think* I need a transparent proxy that takes whatever it gets at the TCP/IP level and forwards it on to the correct physical server. I have read some stuff that says that you can do it with Apache... http://www.redhat.com/docs/manuals/stronghold/Stronghold-3.0-Manual/admi n-guide/chapter2.fm.html#71712.Heading1.Proxy.Authentication Normal proxy service (configured with ProxyRequests) uses the CONNECT protocol. Normal proxy service passes the browser's client certificate to the remote server during SSL and TLS transactions. The remote server then authenticates the browser and not the proxy server. The browser verifies the remote server's site certificate. Thanks much for your time and input, I greatly appreciate it. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|