Hi all, Well it's been over a year since I asked this question, and I am still getting emails from people running into the same problem who are unable to find a solution or any information on the subject. So, for posterity, here is what I know... :) As far as I know, it cannot be achieved. It seems that the reverse proxy, while seeming to be sort of "invisible" to the client, actually breaks the SSL connection and recreates a new one to the external server, so passing on the client certificate is impossible. If your external server is a local one over which you have control, or which you trust, then you can read the information from the certificate at the proxy and pass on the information in the headers as a possible alternative, but this is not secure. The way client certificates and reverse proxies are usually used is that people set up the reverse proxy on the same server as the "external server" I described, use the proxy to do the client certificate authentication, and then just pass on the request to the server without the client certificate. In this situation, the "external server" must be hidden behind the proxy, and they must trust each other. I had to go with an alternative solution, using a cross-domain AJAX request in the browser instead of a reverse proxy that solved my problem. Daniel -----Original Message----- From: Alexiuc, Daniel [mailto:daniel.alexiuc@xxxxxxx] Sent: Thursday, 08 March 2007 3:41 PM To: users@xxxxxxxxxxxxxxxx Subject: How to pass a Client Certificate through a Reverse Proxy Hi all, I've configured Apache as a reverse proxy in the following kind of arrangement: Client's browser -------> Apache Reverse Proxy ------> External Server When the External Server requires Basic Authentication or SSL from the client, this works fine through the proxy. I have configured this using a RewriteRule with the "Use Proxy" option like so: RewriteRule ^/call/(.*)$ $1 [P] However this setup does not seem to work when I want to pass a Client Certificate from the browser to the External Server for Authentication. I get the following error messages: [Thu Mar 08 11:43:29 2007] [warn] Proxy client certificate callback: (localhost:80) downstream server wanted client certificate but none are configured [Thu Mar 08 11:43:29 2007] [error] (502)Unknown error: proxy: pass request body failed to 10.43.125.11:8443 It seems as if the reverse proxy isn't passing through the client certificate from the browser. I realise that it is possible to setup the reverse proxy with a client certificate, but I need the client certificate to come from the client's browser. Does anyone have any suggestions about how to configure the reverse proxy to "pass through" client certificates? Thanks for your help... Daniel Alexiuc --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|