You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by al...@muly.dk on 2005/09/14 15:08:23 UTC

Re: [users@httpd] SSL termination on apache but client certificate routed through

Quoting "Guenther, Christian" <Ch...@realtech.com>:

> Hello List,
>
> I still have this question coming up: I have an apache configured as 
> a reverse proxy. Behind that proxy there is an application server. A 
> client is to connect to the apache via SSL and it needs to 
> authenticate to the internal application server with it's client 
> certificate. IS THIS AT ALL POSSIBLE?

yes, we have that.

>
>
>                  |                    |
>                  |                    |
>   +--------+     |     +--------+     |   +--------+
>   | client |-----|---->| apache |-----|-->| appsrv |
>   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
>   +--------+     |     +--------+     |   +--------+
>                  |                    |
>   initiates      |     encrypts       |   client logon
>   connection    FW1    with cert-2   FW2  with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the 
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared 
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to 
> validate the clients certificate, but ignores it - This is because 
> the apache has no knowledge of the application that wants the 
> authentication in the backend server.
> After the SSL connection between client and apache is established, 
> the apache initiates a new SSL connection to the application server. 
> This connection is encrypted with the appsrv's cert-3. Now the 
> application server want's the client to authenticate itself using 
> client certificate instead of with a normal username/password pair. 
> This, of course, fails at the moment, because the certificate of the 
> apache has no rights in the application and the client cert-1 is lost 
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the 
> client cert-1 to the backend application server? Is there a module 
> that I can use for this? I'm not sure at the moment if such a module 
> could work at all.

yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:

# internal function
RewriteMap  canonicalize int:escape

# client cert check
RewriteCond  %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ 
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]

# then use that env variable to forward it t the aopp server via a 
custom  # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT


with this you should have the backend code on the appserver pull out 
the requestheader value and authenticate via that


./allan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AW: [users@httpd] SSL termination on apache but clientcertificaterouted through

Posted by "Guenther, Christian" <Ch...@realtech.com>.

Hi Allan,

If I get that right your solution would provide the client certificate to the backend server in the form of a header variable. Is that correct? Therefor the client certificate would not be available as part of a normal, standard conform SSL handshake but be essentially be copied in the normal http data part. I would then need to change my backend server's code to look for the certificate at a different place?

Don't get me wrong, if my developers here tell me that they can change our application server in this way, I'd be more than happy to use that solution.. I just don't see how the server could validate the certificate in this scenario as he does not have access to the client but only to the reverse proxy.

Let me ask you this question: If I'd provide the client certificate to the backend application server during the normal SSL handshake between apache and application server - let's say I would copy it to the üplace where the apache certificate would normally be -, that surely would lead to a mismatch between the DN of the certificate and the hostname of the server presenting the certificate, would it not?

   Greetings,

Christian





Von: allan@muly.dk
Gesendet: Mi 14.09.2005 15:08
An: users@httpd.apache.org; Guenther, Christian
Cc: users@httpd.apache.org
Betreff: Re: [users@httpd] SSL termination on apache but client certificaterouted through


Quoting "Guenther, Christian" <Ch...@realtech.com>:

> Hello List,
>
> I still have this question coming up: I have an apache configured as 
> a reverse proxy. Behind that proxy there is an application server. A 
> client is to connect to the apache via SSL and it needs to 
> authenticate to the internal application server with it's client 
> certificate. IS THIS AT ALL POSSIBLE?

yes, we have that.

>
>
>                  |                    |
>                  |                    |
>   +--------+     |     +--------+     |   +--------+
>   | client |-----|---->| apache |-----|-->| appsrv |
>   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
>   +--------+     |     +--------+     |   +--------+
>                  |                    |
>   initiates      |     encrypts       |   client logon
>   connection    FW1    with cert-2   FW2  with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the 
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared 
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to 
> validate the clients certificate, but ignores it - This is because 
> the apache has no knowledge of the application that wants the 
> authentication in the backend server.
> After the SSL connection between client and apache is established, 
> the apache initiates a new SSL connection to the application server. 
> This connection is encrypted with the appsrv's cert-3. Now the 
> application server want's the client to authenticate itself using 
> client certificate instead of with a normal username/password pair. 
> This, of course, fails at the moment, because the certificate of the 
> apache has no rights in the application and the client cert-1 is lost 
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the 
> client cert-1 to the backend application server? Is there a module 
> that I can use for this? I'm not sure at the moment if such a module 
> could work at all.

yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:

# internal function
RewriteMap  canonicalize int:escape

# client cert check
RewriteCond  %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ 
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]

# then use that env variable to forward it t the aopp server via a 
custom  # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT


with this you should have the backend code on the appserver pull out 
the requestheader value and authenticate via that


./allan