You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Lucuk, Pete" <pe...@ngc.com> on 2006/11/10 22:38:43 UTC

[users@httpd] Apache Proxy, Client Certificate, HTTPS, etc. questions?

Apache Proxy, Client Certificate, HTTPS, etc. questions?

I just read this...

	Proxy SSL and Client Certificates
	
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=115930874503040&w=2

and want to I make sure I fully understand it and have questions at the
end of this email.

Background...

In our development environment we have a JBoss server that runs a web
based application...

- the web based application only communicates over HTTPS
- the web based application requires the web browser client to send it's
client certificate to JBoss
- the web browser client PC and the JBoss physical server machine both
reside on the same network with nothing between them
- JBoss performs authentication and authorization based on content in
the sent client certificate from the web browser client PC

The above setup works like a champ in our development environment.


My problem...

We have been tasked to setup our Jboss server web based application in a
production environment like so...

- The Jboss server will reside on physical server A
- The web browser client PC will NOT be on the same network as physical
server A
- there are multiple firewalls between web browser client PC and the
Jboss server that resides on physical server A
- there is however one physical box, lets call it physical server B,
that...

	- the web browser client PCs CAN see and connect to
	- the Jboss server physical server A CAN also see and connect to

- this physical box B is literally a server box that currently has
certain ports open and tomcat and apache running on it serving out
content to web browser client PCs.

- We are NOT allowed to put our Jboss server on it currently for
multiple reasons, long story

- we MUST run our Jboss web based application on physical server A
behind physical server B.

So we are currently looking for ways to bridge the gap between the our
Jboss web based application on physical server A and the web browser
client PCs so that we can perform both...

- HTTPS
- client certicate A&A

I am currently looking at Apache 2.2.3 and its proxy support to bridge
the gap.  Almost everything I have read tells me that...

- I CAN do the HTTPS portion
- but that I can NOT do the client certificate A&A portion

Can you please confirm the above two assumptions and give some input as
why and why not.  I need to bring the info to my management and formally
document it.

If Apache with proxy support can not do it, do you know of any piece of
"software" that could do it?  I assume iptables or ipfilter could do it,
BUT we would be hard pressed to be allowed to install anything like that
on there that requires root. 

Basically I *think* I need a transparent proxy that takes whatever it
gets at the TCP/IP level and forwards it on to the correct physical
server.  I have read some stuff that says that you can do it with
Apache...

http://www.redhat.com/docs/manuals/stronghold/Stronghold-3.0-Manual/admi
n-guide/chapter2.fm.html#71712.Heading1.Proxy.Authentication

Normal proxy service (configured with ProxyRequests) uses the CONNECT
protocol. Normal proxy service passes the browser's client certificate
to the remote server during SSL and TLS transactions. The remote server
then authenticates the browser and not the proxy server. The browser
verifies the remote server's site certificate.


Thanks much for your time and input, I greatly appreciate it.









---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache Proxy, Client Certificate, HTTPS, etc. questions?

Posted by Sander Temme <sc...@apache.org>.

Pete,

On Nov 10, 2006, at 1:38 PM, Lucuk, Pete wrote:

> So we are currently looking for ways to bridge the gap between the our
> Jboss web based application on physical server A and the web browser
> client PCs so that we can perform both...
>
> - HTTPS
> - client certicate A&A
>
> I am currently looking at Apache 2.2.3 and its proxy support to bridge
> the gap.  Almost everything I have read tells me that...
>
> - I CAN do the HTTPS portion
> - but that I can NOT do the client certificate A&A portion
>
> Can you please confirm the above two assumptions and give some  
> input as
> why and why not.  I need to bring the info to my management and  
> formally
> document it.

There are several ways to do this:

1) Use the Apache httpd with mod_proxy to forward HTTP requests in a  
reverse proxy setup. mod_ssl will perform the SSL handshake, and  
insert the client-side certificate information into the forwarded  
requests as custom HTTP request headers. It is then up to your  
application to parse these headers and extract the identity information.

2) Use Apache with mod_jk. The mod_jk module can forward SSL  
connection information to the application server, and I believe this  
includes the client side certificate. This info should then be  
available in the request objects in the same fashion as when the  
HTTPS request arrives directly at the application server.

The above is of course a very brief and general description, and  
adapting this to your specific deployment needs would take work  
significantly beyond the scope of this list.

Regards,

Sander

-- 
sctemme@apache.org            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF