Re: Client certificate authentication on tunneling proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matus UHLAR - fantomas wrote:
On 21.01.10 18:33, Andrei T wrote:
I am trying to connect to apache through SSL (port 443) and tell it to create a tunnel to some other server listening on port 80.

why a tunnel? Who would create the tunnel? While It's possible, I don't know
of any browser that could do that.

This setup is not intended to be used by browsers. Instead a specially crafted client code will be dealing with that.

I have not tried fiddling with client certificates yet. There is no point in trying it if apache is not working even without them. My understanding that client certificate verification is possible only through an SSL connection. That's why I am trying to make apache run in HTTPS mode for proxying.

You can configure apache so that it would behave as proxy, https on
receiving side with client certificate verification and proxying to another
tunnels. Client would think that your apachs is the server.

If I understand correctly you are suggesting that client connects to apache (through HTTPS) and then apache establishes a separate HTTPS connection to the real target server?

The downside of this approach is that the target server and client do not see (verify) each other and the proxy becomes a sweat target: anyone taking over it would be able to talk to clients and target server and see all the traffic.

You also could configure apache as proxy accessible through https (but
clients afaik don't support https proxy) and configure clients to use this
apache as proxy. But they would not issue CONNECT to port 80.

I tried configuring apache as a tunneling proxy through https, but in this scenario apache would not recognize the CONNECT request and would not establish a tunnel to the target server.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux