You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Guenther, Christian" <Ch...@realtech.com> on 2005/09/14 14:19:48 UTC
[users@httpd] SSL termination on apache but client certificate routed through
Hello List,
I still have this question coming up: I have an apache configured as a reverse proxy. Behind that proxy there is an application server. A client is to connect to the apache via SSL and it needs to authenticate to the internal application server with it's client certificate. IS THIS AT ALL POSSIBLE?
| |
| |
+--------+ | +--------+ | +--------+
| client |-----|---->| apache |-----|-->| appsrv |
| cert-1 | SSL | | cert-2 | SSL | | cert-3 |
+--------+ | +--------+ | +--------+
| |
initiates | encrypts | client logon
connection FW1 with cert-2 FW2 with cert-1
As can be seen in the crude picture above: The client initiates the SSL connection to the apache.
The apache's cert-2 is used for encryption and the client is prepared to authenticate itself using
his client cert-1. At the moment the apache is NOT configured to validate the clients certificate, but ignores it - This is because the apache has no knowledge of the application that wants the authentication in the backend server.
After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the application server. This connection is encrypted with the appsrv's cert-3. Now the application server want's the client to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in the application and the client cert-1 is lost due to the apache terminating the SSL connection.
Now again my question: Can I configure the apache to forward the client cert-1 to the backend application server? Is there a module that I can use for this? I'm not sure at the moment if such a module could work at all.
As far as I understand SSL, it needs a direct connection between the two communication partners, but on the other hand a reverse proxy is a common tool to improve the security of a server on the internet, so maybe there is some way to achieve this and I'm just mssing the point.
Please, can anyone help me with this?
Kind regards,
Christian
Christian Günther
SAP NetWeaver Technical Consultant
REALTECH
REALTECH system consulting GmbH
Industriestraße 39c
69190 Walldorf Germany
Tel.: +49 6227 837 267
Fax: +49 6227 837 837
Mobile: +49 173 302 2153
mailto: christian.guenther@realtech.com
AW: AW: [users@httpd] SSL termination on apache butclientcertificateroutedthrough
Posted by "Guenther, Christian" <Ch...@realtech.com>.
Hi Allan, Hi List,
I see the topic is much more complicated as I first thought. I think my
main problem comes from the fact that what my customers (those
farmer guys) want breaks what is the basis of the technical SSL
implementation: terminating the SSL communication in the middle
but in the same instance use the certificates to authenticate each
other :(
>> This application server is essentially SAP XI (an XML driven data
>> exchanger)
>> and the client is a so called Business Connector. It is actually the
>> client, the BC, that wants to pass some data about harvested stuff like
>> grain or so to the XI so that they get written into the SAP system. Bye
>> the way, the client is a PDA that sits on top of some tractor on some field
>> in the countryside.
>
>ok, all of this is way out of my league ;)
Of mine too. I'm a security consultant :-)
>but it still sounds as it is the actual application server that is
>handling the validation of a given client certificate (and not some of
>your custom made code).
to be honest there is no such thing as custom made code on the appserver
site :-(
>if that is the case i have no idea how you would
>let the client - the BC - pass the cert in a manner so the backend would
> be forced to validate it, sorry.
well, the application server - the XI - is highly configurable. I'm in parallel at
the XI developer list and asked those guys if there is a chance to change
the XI so that it takes the client certificate from the RequestHeader.
Let's see how those guys at SAP are dealing with my inquiry
>> The application server (XI) is a system with high security requirements and
>> can therefor not be placed in a normal DMZ but is needed to be secured by
>> the proxy.
>
>hmm ok, so it is actually strictly necessary to run ssl on apache
>(reverse proxy)? i gather you cannot bypass apache on https in your set
>up ? and since you run the backend with ssl you sort of have a "double"
>ssl connection in certain circumstances.
>
>would it be possible to this (i am asking the list too) ?
>
>client connects on ssl to apache with client certificate.
>apache forwards request to, say, a cgi program. program connects to
>backend via ssl and pass client certificate data on behalf of the
>original client. backend validates client certificate and send some kind
>of response. program picks up data from response and now sends an http
>redirect to the original client request. the redirected page will
>contain the backend response/data.
>i guess im thinking pretty traditional web environment, not tractor
>environment.
lol
>> what i don't understand at this point, is why you want the validating
>> done at the backend at all, when you could have all this done at the
>> frontend.
>
>
> Because the XI requires authentication bevor it would let anyone talk to
> it..
> And there are different frontends that have access to different data -
> the application server needs to distinguish them.
>
>
>and it is not possible to have all the different frontend hit apache
>first i reckon, like:
>
>some client -> whatever frontend -> apache (reverse proxy) -> backend
well, the traffic goes like
+--+ +--------+ +----+
(BC) -----> | apache | ------> | XI |
+--+ +--------+ +----+
and both, BC and XI, are to think they are talking to each other directly
Re: AW: [users@httpd] SSL termination on apache but clientcertificaterouted
through
Posted by allan juul <al...@muly.dk>.
Guenther, Christian wrote:
> Hi Allan,
>
> thanks for your reply.
> I'd like to take the chance and clarify two points, just to make sure.
>
> you said:
>
>> the backend *code* has a access to the client certificate.
>> is it your backend *webserver* or is it your backend *code* that is
>> handling the validation of the client certificate ?
>
>
> The backend in this case is an application server to which a client
> connects.
> This application server is essentially SAP XI (an XML driven data
> exchanger)
> and the client is a so called Business Connector. It is actually the
> client, the BC, that wants to pass some data about harvested stuff like
> grain or so to the XI so that they get written into the SAP system. Bye
> the way, the client is a PDA that sits on top of some tractor on some field
> in the countryside.
ok, all of this is way out of my league ;)
but it still sounds as it is the actual application server that is
handling the validation of a given client certificate (and not some of
your custom made code). if that is the case i have no idea how you would
let the client - the BC - pass the cert in a manner so the backend would
be forced to validate it, sorry.
>
> The both components are talking to each other in a completely automated
> manner - no user interaction at all.
> The Application server requires some form of authentication for the client
> to let it talk to him. Possible authentication systems are
> username/password
> wihich is not an option here due to corporate regulations, SAP Logon
> Tickets, which apache does not understand and SSL certificates.
>
> The application server (XI) is a system with high security requirements and
> can therefor not be placed in a normal DMZ but is needed to be secured by
> the proxy.
hmm ok, so it is actually strictly necessary to run ssl on apache
(reverse proxy)? i gather you cannot bypass apache on https in your set
up ? and since you run the backend with ssl you sort of have a "double"
ssl connection in certain circumstances.
would it be possible to this (i am asking the list too) ?
client connects on ssl to apache with client certificate.
apache forwards request to, say, a cgi program. program connects to
backend via ssl and pass client certificate data on behalf of the
original client. backend validates client certificate and send some kind
of response. program picks up data from response and now sends an http
redirect to the original client request. the redirected page will
contain the backend response/data.
i guess im thinking pretty traditional web environment, not tractor
environment.
>> what i don't understand at this point, is why you want the validating
>> done at the backend at all, when you could have all this done at the
>> frontend.
>
>
> Because the XI requires authentication bevor it would let anyone talk to
> it..
> And there are different frontends that have access to different data -
> the application server needs to distinguish them.
and it is not possible to have all the different frontend hit apache
first i reckon, like:
some client -> whatever frontend -> apache (reverse proxy) -> backend
>> is it really nesecary to do the webserver validation on the backend. is
>> it actually possible to bypass the apache frontend and therefore access
>> the backend directly (which sounds slightly insecurish)
>> (the solution i described, we had https at the frontend and http at the
>> backend)
>
>
> I fear it is at least necessary to give the XI access to the name of the
> client connecting - in whatever way. The way the system is configured at
> the moment it requires a client ssl certificate!
>
> Regards,
>
> Christia
> n
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] SSL termination on apache but clientcertificaterouted through
Posted by "Guenther, Christian" <Ch...@realtech.com>.
Hi Allan,
thanks for your reply.
I'd like to take the chance and clarify two points, just to make sure.
you said:
> the backend *code* has a access to the client certificate.
> is it your backend *webserver* or is it your backend *code* that is
> handling the validation of the client certificate ?
The backend in this case is an application server to which a client connects.
This application server is essentially SAP XI (an XML driven data exchanger)
and the client is a so called Business Connector.
It is actually the client, the BC, that wants to pass some data about
harvested stuff like grain or so to the XI so that they get written into
the SAP system.
Bye the way, the client is a PDA that sits on top of some tractor on some field
in the countryside.
The both components are talking to each other in a completely
automated manner - no user interaction at all.
The Application server requires some form of authentication for the client
to let it talk to him. Possible authentication systems are username/password
wihich is not an option here due to corporate regulations, SAP Logon
Tickets, which apache does not understand and SSL certificates.
The application server (XI) is a system with high security requirements and
can therefor not be placed in a normal DMZ but is needed to be secured by
the proxy.
> what i don't understand at this point, is why you want the validating
> done at the backend at all, when you could have all this done at the
> frontend.
Because the XI requires authentication bevor it would let anyone talk to it..
And there are different frontends that have access to different data - the
application server needs to distinguish them.
> is it really nesecary to do the webserver validation on the backend. is
> it actually possible to bypass the apache frontend and therefore access
> the backend directly (which sounds slightly insecurish)
>(the solution i described, we had https at the frontend and http at the
>backend)
I fear it is at least necessary to give the XI access to the name of the client
connecting - in whatever way. The way the system is configured at the
moment it requires a client ssl certificate!
Regards,
Christian
Re: [users@httpd] SSL termination on apache but client certificate
routed through
Posted by allan juul <al...@muly.dk>.
> If I get that right your solution would provide the client certificate
> to the backend server in the form of a header variable. Is that
> correct?
yes, that's correct
> Therefor the client certificate would not be available as part of a
> normal, standard conform SSL handshake but be essentially be copied in
> the normal http data part. I would then need to change my backend
> server's code to look for the certificate at a different place?
exactly
> Don't get me wrong, if my developers here tell me that they can change
> our application server in this way, I'd be more than happy to use that
> solution.. I just don't see how the server could validate the
> certificate in this scenario as he does not have access to the client
> but only to the reverse proxy.
the backend *code* has a access to the client certificate.
is it your backend *webserver* or is it your backend *code* that is
handling the validation of the client certificate ?
what i don't understand at this point, is why you want the validating
done at the backend at all, when you could have all this done at the
frontend.
is it really nesecary to do the webserver validation on the backend. is
it actually possible to bypass the apache frontend and therefore access
the backend directly (which sounds slightly insecurish)
(the solution i described, we had https at the frontend and http at the
backend)
> Let me ask you this question: If I'd provide the client certificate to
> the backend application server during the normal SSL handshake between
> apache and application server - let's say I would copy it to the üplace
> where the apache certificate would normally be -, that surely would
> lead to a mismatch between the DN of the certificate and the hostname
> of the server presenting the certificate, would it not?
i don't know. but it does not sound possible.
./allan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL termination on apache but client certificate routed through
Posted by isha b <is...@gmail.com>.
Christain ,
Apache modules , mod_proxy_http and mod_proxy_html will help to so solve
your problem ,
Compile and Include these module under your httd.conf as
# Example:
# LoadModule foo_module modules/mod_foo.so
LoadModule headers_module modules/mod_headers.so
LoadModule proxy_module modules/mod_proxy.so
LoadFile /usr/lib/libxml2.so
*LoadModule proxy_http_module modules/mod_proxy_http.so*
*LoadModule proxy_html_module modules/mod_proxy_html.so*
Next ,
Under <If_Module >* *put the entries above you ProxyPass entries
**
<IfModule mod_proxy.c>
RequestHeader set Front-End-Https "On"
ProxyRequests Off
*
ProxyPreserveHost On
ProxyHTMLLogVerbose On
LogLevel Info
ProxyHTMLExtended On
ProxyHTMLURLMap from-pattern to-pattern flags
*
AllowCONNECT 443
Restart Apache and see the result !!!
My servers with back to back SSL are working fine with this configuration !
Regards,
Isha B
PL -Technical Support Group
Syntel Ltd
On 9/14/05, Guenther, Christian <Ch...@realtech.com> wrote:
>
> Hello List,
> I still have this question coming up: I have an apache configured as a
> reverse proxy. Behind that proxy there is an application server. A client is
> to connect to the apache via SSL and it needs to authenticate to the
> internal application server with it's client certificate. IS THIS AT ALL
> POSSIBLE?
> | |
> | |
> +--------+ | +--------+ | +--------+
> | client |-----|---->| apache |-----|-->| appsrv |
> | cert-1 | SSL | | cert-2 | SSL | | cert-3 |
> +--------+ | +--------+ | +--------+
> | |
> initiates | encrypts | client logon
> connection FW1 with cert-2 FW2 with cert-1
>
> As can be seen in the crude picture above: The client initiates the SSL
> connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared to
> authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to validate
> the clients certificate, but ignores it - This is because the apache has no
> knowledge of the application that wants the authentication in the backend
> server.
> After the SSL connection between client and apache is established, the
> apache initiates a new SSL connection to the application server. This
> connection is encrypted with the appsrv's cert-3. Now the application server
> want's the client to authenticate itself using client certificate instead of
> with a normal username/password pair. This, of course, fails at the moment,
> because the certificate of the apache has no rights in the application and
> the client cert-1 is lost due to the apache terminating the SSL connection.
> Now again my question: Can I configure the apache to forward the client
> cert-1 to the backend application server? Is there a module that I can use
> for this? I'm not sure at the moment if such a module could work at all.
> As far as I understand SSL, it needs a direct connection between the two
> communication partners, but on the other hand a reverse proxy is a common
> tool to improve the security of a server on the internet, so maybe there is
> some way to achieve this and I'm just mssing the point.
> Please, can anyone help me with this?
> Kind regards,
> Christian
> Christian Günther
> SAP NetWeaver Technical Consultant
> REALTECH
>
> *REALTECH system consulting GmbH*
> Industriestraße 39c
> 69190 Walldorf Germany
> Tel.: +49 6227 837 267
> Fax: +49 6227 837 837
> Mobile: +49 173 302 2153
> mailto: christian.guenther@realtech.com
>
AW: [users@httpd] SSL termination on apache but clientcertificaterouted through
Posted by "Guenther, Christian" <Ch...@realtech.com>.
Hi Allan,
If I get that right your solution would provide the client certificate to the backend server in the form of a header variable. Is that correct? Therefor the client certificate would not be available as part of a normal, standard conform SSL handshake but be essentially be copied in the normal http data part. I would then need to change my backend server's code to look for the certificate at a different place?
Don't get me wrong, if my developers here tell me that they can change our application server in this way, I'd be more than happy to use that solution.. I just don't see how the server could validate the certificate in this scenario as he does not have access to the client but only to the reverse proxy.
Let me ask you this question: If I'd provide the client certificate to the backend application server during the normal SSL handshake between apache and application server - let's say I would copy it to the üplace where the apache certificate would normally be -, that surely would lead to a mismatch between the DN of the certificate and the hostname of the server presenting the certificate, would it not?
Greetings,
Christian
Von: allan@muly.dk
Gesendet: Mi 14.09.2005 15:08
An: users@httpd.apache.org; Guenther, Christian
Cc: users@httpd.apache.org
Betreff: Re: [users@httpd] SSL termination on apache but client certificaterouted through
Quoting "Guenther, Christian" <Ch...@realtech.com>:
> Hello List,
>
> I still have this question coming up: I have an apache configured as
> a reverse proxy. Behind that proxy there is an application server. A
> client is to connect to the apache via SSL and it needs to
> authenticate to the internal application server with it's client
> certificate. IS THIS AT ALL POSSIBLE?
yes, we have that.
>
>
> | |
> | |
> +--------+ | +--------+ | +--------+
> | client |-----|---->| apache |-----|-->| appsrv |
> | cert-1 | SSL | | cert-2 | SSL | | cert-3 |
> +--------+ | +--------+ | +--------+
> | |
> initiates | encrypts | client logon
> connection FW1 with cert-2 FW2 with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to
> validate the clients certificate, but ignores it - This is because
> the apache has no knowledge of the application that wants the
> authentication in the backend server.
> After the SSL connection between client and apache is established,
> the apache initiates a new SSL connection to the application server.
> This connection is encrypted with the appsrv's cert-3. Now the
> application server want's the client to authenticate itself using
> client certificate instead of with a normal username/password pair.
> This, of course, fails at the moment, because the certificate of the
> apache has no rights in the application and the client cert-1 is lost
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the
> client cert-1 to the backend application server? Is there a module
> that I can use for this? I'm not sure at the moment if such a module
> could work at all.
yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:
# internal function
RewriteMap canonicalize int:escape
# client cert check
RewriteCond %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]
# then use that env variable to forward it t the aopp server via a
custom # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT
with this you should have the backend code on the appserver pull out
the requestheader value and authenticate via that
./allan
Re: [users@httpd] SSL termination on apache but client certificate
routed through
Posted by al...@muly.dk.
Quoting "Guenther, Christian" <Ch...@realtech.com>:
> Hello List,
>
> I still have this question coming up: I have an apache configured as
> a reverse proxy. Behind that proxy there is an application server. A
> client is to connect to the apache via SSL and it needs to
> authenticate to the internal application server with it's client
> certificate. IS THIS AT ALL POSSIBLE?
yes, we have that.
>
>
> | |
> | |
> +--------+ | +--------+ | +--------+
> | client |-----|---->| apache |-----|-->| appsrv |
> | cert-1 | SSL | | cert-2 | SSL | | cert-3 |
> +--------+ | +--------+ | +--------+
> | |
> initiates | encrypts | client logon
> connection FW1 with cert-2 FW2 with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to
> validate the clients certificate, but ignores it - This is because
> the apache has no knowledge of the application that wants the
> authentication in the backend server.
> After the SSL connection between client and apache is established,
> the apache initiates a new SSL connection to the application server.
> This connection is encrypted with the appsrv's cert-3. Now the
> application server want's the client to authenticate itself using
> client certificate instead of with a normal username/password pair.
> This, of course, fails at the moment, because the certificate of the
> apache has no rights in the application and the client cert-1 is lost
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the
> client cert-1 to the backend application server? Is there a module
> that I can use for this? I'm not sure at the moment if such a module
> could work at all.
yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:
# internal function
RewriteMap canonicalize int:escape
# client cert check
RewriteCond %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]
# then use that env variable to forward it t the aopp server via a
custom # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT
with this you should have the backend code on the appserver pull out
the requestheader value and authenticate via that
./allan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org