You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Peter Schober <pe...@univie.ac.at> on 2009/07/01 00:00:24 UTC

Re: [users@httpd] Proxy mode with Cert Auth

* Luis Daniel Lucio Quiroz <lu...@gmail.com> [2009-06-30 23:29]:
> I have know an apache as inverse proxy https server.  But now that server has 
> included Cert authentication in aplication.  The problem is that now apache 
> does not proxy, is there any configuration to let support authentication?

Is this the same question you sent to this list on 2009-05-28?
I'm not sure what you're asking this time either.

You can authenticate the proxy itself to the proxied server (the
application) if the latter requires client cert authentication:
http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#sslproxymachinecertificatefile
This way http user agents don't need a client certificate, but then
the application only ever sees the proxy's cert, not the user agent's.
This may or may not be what you want.

And you can certainly protect the reverse proxy (or just the proxied
location on the proxy) like any other ressource (mod_auth_* and third
party friends): http://httpd.apache.org/docs/2.2/en/howto/auth.html

But unless you can rephrase the problem statement (and what exactly
you're trying to achive) it's hard to know if that is what you need.
-peter


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy mode with Cert Auth

Posted by Peter Schober <pe...@univie.ac.at>.

* Luis Daniel Lucio Quiroz <lu...@gmail.com> [2009-07-01 00:55]:
> I need that final server sees agents certificate.  
> I was reading this link:
> http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
> 
> But i dont know sure if that is what i need

Well, you posted a complete copy-and-paste config that seemingly does
what you say you want. Where is the problem with that?
Did you try it, it doesn't work and you want to know why? Or do you
prefer spending days (or months, given that you asked about this back
in May) asking strangers whether you should try that config or not?
You really need to be more specific.
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy mode with Cert Auth

Posted by Luis Daniel Lucio Quiroz <lu...@gmail.com>.

Le mardi 30 juin 2009 17:00:24, Peter Schober a écrit :
> * Luis Daniel Lucio Quiroz <lu...@gmail.com> [2009-06-30 
23:29]:
> > I have know an apache as inverse proxy https server.  But now that server
> > has included Cert authentication in aplication.  The problem is that now
> > apache does not proxy, is there any configuration to let support
> > authentication?
>
> Is this the same question you sent to this list on 2009-05-28?
> I'm not sure what you're asking this time either.
>
> You can authenticate the proxy itself to the proxied server (the
> application) if the latter requires client cert authentication:
> 
http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#sslproxymachinecertifi
>catefile This way http user agents don't need a client certificate, but then
> the application only ever sees the proxy's cert, not the user agent's. This
> may or may not be what you want.
>
> And you can certainly protect the reverse proxy (or just the proxied
> location on the proxy) like any other ressource (mod_auth_* and third
> party friends): http://httpd.apache.org/docs/2.2/en/howto/auth.html
>
> But unless you can rephrase the problem statement (and what exactly
> you're trying to achive) it's hard to know if that is what you need.
> -peter
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


Hi, Yes is same question.
I need that final server sees agents certificate.  
I was reading this link:
http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-
reverse-proxy/start

But i dont know sure if that is what i need

TIA

LD

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org