You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by yasser arafat <ya...@gmail.com> on 2011/03/03 18:12:03 UTC
[users@httpd] Apache module suitable for SSL passthrough
Hello all,
My JBoss app server has mutual SSL authentication setup (We do some
processing based on the client certificate).
I need to have a web server in front of JBoss. Which is the best apache
module that can do an SSL passthrough to JBoss?
Thank and regards,
Yasser
Re: [users@httpd] Apache module suitable for SSL passthrough
Posted by yasser arafat <ya...@gmail.com>.
Thanks for the reply Tom.
I have an application in JBoss setup with a CLIENT_CERT mode of
authentication. When a user tries to access a secure URL, the JAAS login
modules kicks off, captures the client certificate and extracts the CN data
from it for authorization.
With the current setup, I cannot change the authentication to read from HTTP
headers.
I was just hoping that there may be some apache module that can pass along
the client cert as is.
Thanks,
Yasser
On Thu, Mar 3, 2011 at 12:45 PM, Tom Evans <te...@googlemail.com> wrote:
> On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <ya...@gmail.com> wrote:
> > Hello all,
> >
> > My JBoss app server has mutual SSL authentication setup (We do some
> > processing based on the client certificate).
> >
> > I need to have a web server in front of JBoss. Which is the best apache
> > module that can do an SSL passthrough to JBoss?
> >
> >
> >
> > Thank and regards,
> >
> > Yasser
> >
> >
>
> There is no such thing as SSL pass through - SSL is an end to end
> encryption protocol, there can be no middle.
>
> You can do SSL termination on apache and forward the appropriate
> sections of the client certificate through to jboss as custom HTTP
> headers. You cannot do SSL termination on apache and re-present the
> client certificate to jboss.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Apache module suitable for SSL passthrough
Posted by yasser arafat <ya...@gmail.com>.
Thank you Sandy and Tom,
It worked.
My question should have been to know the transfer of client certificate
rather than making SSL pass through.\
Thanks,
Yasser
On Thu, Mar 3, 2011 at 2:13 PM, Voellinger, Sandy <
Sandy.Voellinger@neustar.biz> wrote:
> Yasser -
>
> As Tom mentioned in his response, you must terminate SSL, there is no
> "passthrough". However, what I think you are looking for is the ability to
> do terminiate SSL at apache and pass the client certificate as part of the
> request that you forward to Jboss. If this is the case, you can do the
> following with mod_jk/apache:
>
> Within your vhost context:
>
> #Define your ssl bits as needed to correctly terminate the two way
> handshake:
> SSLEngine on
> SSLCertificateKeyFile $FULL_PATH_TO_FILENAME
> SSLCertificateChainFile $FULL_PATH_TO_FILENAME
> SSLCACertificateFile $FULL_PATH_TO_FILENAME
> SSLCertificateFile $FULL_PATH_TO_FILENAME
> SSLInsecureRenegotiation on
>
>
>
> # The following directive will include the client certificate that is
> presented for 2way ssl in the data sent to your application server:
>
> SSLOptions +ExportCertData +StdEnvVars
>
>
>
> If you use mod_jk to pass your connection from apache to jboss, you'll need
> to define the following:
>
> uriworkermap.properties:
> /path/to/url/you/want/to/forward*=$WORKER_NAME
>
>
> workers.properties:
> worker.list=$WORKER_NAME
> worker.node1.port=$JBOSS_LISTENING_PORT
> worker.node1.host=$JBOSS_HOSTNAME_OR_IP
> worker.node1.type=ajp13
> worker.node1.ping_mode=A
> worker.node1.socket_timeout=20
>
> Cheers-
> Sandy
>
>
>
>
>
> -----Original Message-----
> From: Tom Evans [mailto:tevans.uk@googlemail.com]
> Sent: Thursday, March 03, 2011 12:45 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache module suitable for SSL passthrough
>
> On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <ya...@gmail.com> wrote:
> > Hello all,
> >
> > My JBoss app server has mutual SSL authentication setup (We do some
> > processing based on the client certificate).
> >
> > I need to have a web server in front of JBoss. Which is the best apache
> > module that can do an SSL passthrough to JBoss?
> >
> >
> >
> > Thank and regards,
> >
> > Yasser
> >
> >
>
> There is no such thing as SSL pass through - SSL is an end to end
> encryption protocol, there can be no middle.
>
> You can do SSL termination on apache and forward the appropriate
> sections of the client certificate through to jboss as custom HTTP
> headers. You cannot do SSL termination on apache and re-present the
> client certificate to jboss.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
RE: [users@httpd] Apache module suitable for SSL passthrough
Posted by "Voellinger, Sandy" <Sa...@neustar.biz>.
Yasser -
As Tom mentioned in his response, you must terminate SSL, there is no "passthrough". However, what I think you are looking for is the ability to do terminiate SSL at apache and pass the client certificate as part of the request that you forward to Jboss. If this is the case, you can do the following with mod_jk/apache:
Within your vhost context:
#Define your ssl bits as needed to correctly terminate the two way handshake:
SSLEngine on
SSLCertificateKeyFile $FULL_PATH_TO_FILENAME
SSLCertificateChainFile $FULL_PATH_TO_FILENAME
SSLCACertificateFile $FULL_PATH_TO_FILENAME
SSLCertificateFile $FULL_PATH_TO_FILENAME
SSLInsecureRenegotiation on
# The following directive will include the client certificate that is presented for 2way ssl in the data sent to your application server:
SSLOptions +ExportCertData +StdEnvVars
If you use mod_jk to pass your connection from apache to jboss, you'll need to define the following:
uriworkermap.properties:
/path/to/url/you/want/to/forward*=$WORKER_NAME
workers.properties:
worker.list=$WORKER_NAME
worker.node1.port=$JBOSS_LISTENING_PORT
worker.node1.host=$JBOSS_HOSTNAME_OR_IP
worker.node1.type=ajp13
worker.node1.ping_mode=A
worker.node1.socket_timeout=20
Cheers-
Sandy
-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com]
Sent: Thursday, March 03, 2011 12:45 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache module suitable for SSL passthrough
On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <ya...@gmail.com> wrote:
> Hello all,
>
> My JBoss app server has mutual SSL authentication setup (We do some
> processing based on the client certificate).
>
> I need to have a web server in front of JBoss. Which is the best apache
> module that can do an SSL passthrough to JBoss?
>
>
>
> Thank and regards,
>
> Yasser
>
>
There is no such thing as SSL pass through - SSL is an end to end
encryption protocol, there can be no middle.
You can do SSL termination on apache and forward the appropriate
sections of the client certificate through to jboss as custom HTTP
headers. You cannot do SSL termination on apache and re-present the
client certificate to jboss.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache module suitable for SSL passthrough
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <ya...@gmail.com> wrote:
> Hello all,
>
> My JBoss app server has mutual SSL authentication setup (We do some
> processing based on the client certificate).
>
> I need to have a web server in front of JBoss. Which is the best apache
> module that can do an SSL passthrough to JBoss?
>
>
>
> Thank and regards,
>
> Yasser
>
>
There is no such thing as SSL pass through - SSL is an end to end
encryption protocol, there can be no middle.
You can do SSL termination on apache and forward the appropriate
sections of the client certificate through to jboss as custom HTTP
headers. You cannot do SSL termination on apache and re-present the
client certificate to jboss.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org