RE: Apache module suitable for SSL passthrough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yasser -

As Tom mentioned in  his response, you must terminate SSL, there is no "passthrough".  However, what I think you are looking for is the ability to do terminiate SSL at apache and pass the client certificate as part of the request that you forward to Jboss.  If this is the case, you can do the following with mod_jk/apache:

Within your vhost context:

#Define your ssl bits as needed to correctly terminate the two way handshake:
SSLEngine on
        SSLCertificateKeyFile $FULL_PATH_TO_FILENAME
        SSLCertificateChainFile $FULL_PATH_TO_FILENAME
        SSLCACertificateFile $FULL_PATH_TO_FILENAME
        SSLCertificateFile $FULL_PATH_TO_FILENAME
        SSLInsecureRenegotiation on



# The following directive will include the client certificate that is presented for 2way ssl in the data sent to your application server:

SSLOptions +ExportCertData +StdEnvVars



If you use mod_jk to pass your connection from apache to jboss, you'll need to define  the following:

uriworkermap.properties:
/path/to/url/you/want/to/forward*=$WORKER_NAME


workers.properties:
worker.list=$WORKER_NAME
worker.node1.port=$JBOSS_LISTENING_PORT
worker.node1.host=$JBOSS_HOSTNAME_OR_IP
worker.node1.type=ajp13
worker.node1.ping_mode=A
worker.node1.socket_timeout=20

Cheers-
Sandy





-----Original Message-----
From: Tom Evans [mailto:tevans.uk@xxxxxxxxxxxxxx] 
Sent: Thursday, March 03, 2011 12:45 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Apache module suitable for SSL passthrough

On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <yarafatin@xxxxxxxxx> wrote:
> Hello all,
>
> My JBoss app server has mutual SSL authentication setup (We do some
> processing based on the client certificate).
>
> I need to have a web server in front of JBoss. Which is the best apache
> module that can do an SSL passthrough to JBoss?
>
>
>
> Thank and regards,
>
> Yasser
>
>

There is no such thing as SSL pass through - SSL is an end to end
encryption protocol, there can be no middle.

You can do SSL termination on apache and forward the appropriate
sections of the client certificate through to jboss as custom HTTP
headers. You cannot do SSL termination on apache and re-present the
client certificate to jboss.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux