You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Liegler, Jörg <Jo...@adesso.at> on 2010/09/16 15:32:50 UTC

[users@httpd] Apache proxy as client to ssl server

Hi! Pls help with the following scenario:

http Server -> Apache proxy -> A) HTTPS Service with self signed certificate A_C
                            -> B) HTTPS Service with certificate B_C signed by thawte T_CA

I am sending http requests to the Apache proxy. On Apache proxy, I have a virtual host with 
...
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia On
    ProxyTimeout 2
    SSLEngine off
    SSLProxyEngine on
    SSLProxyVerifyDepth 2
    SSLProxyVerify require
    SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl/???.pem
    <Location ...
       ProxyPass https://....
...

On servers A und B, there is no client key authentication, so just simple https.

My questions:

- What do I have to put in ???.pem for the SSLProxyMachineCertificateFile. If - how do I have to use openssl to generate client keys?

- Does I have to put the A_C and B_C from servers A und B somewhere in order to pass SSLProxyVerify require? Do I have to insert that T_CA certificate additionally, or the whole chain?

- Am I missing some other definitions?

Thx a lot

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache proxy as client to ssl server

Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.

On Thu, September 16, 2010 15:32, Liegler, Jörg wrote:

> On servers A und B, there is no client key authentication, so just simple
> https.
>
> My questions:
>
> - What do I have to put in ???.pem for the SSLProxyMachineCertificateFile.
> If - how do I have to use openssl to generate client keys?

You don't need this, since you don't use client certificates on the
backend server.

> - Does I have to put the A_C and B_C from servers A und B somewhere in
> order to pass SSLProxyVerify require? Do I have to insert that T_CA
> certificate additionally, or the whole chain?

If you don't use SSLProxyVerify, no verification is done. Use this only if
you're paranoid, or if you're connecting to servers outside your own
domain.

If you do want to use SSLProxyVerify require, you need to add the signer
certificates to a file, and point to this file with
SSLProxyCACertificateFile (or SSLProxyCACertificatePath).

Joost

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org