You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Daniel <df...@gmail.com> on 2015/07/01 11:05:01 UTC
Re: [users@httpd] Client Cert Authentication behind an apache proxy
without headers
You can make your proxy identify with a specific key-cert combination with:
SSLProxyMachineCertificateFile
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile
But "passthrough" as you say, that's not how proxy works AFAIK.
2015-06-30 23:57 GMT+02:00 pankit thapar <th...@gmail.com>:
> Hi,
>
> I wanted to know if there is a way to pass on the client cert as it is to
> a backend server through an apache proxy without using the SSL headers.
>
> Scenario:
> Client---https--->Proxy(:443)---https--->BackEnd(:PORT)
>
> The above figure is what I want to set up.
> So, basically I want apache proxy to act as a man in the middle and just
> forward the https request as it is.
>
> Please let me know if someone has an idea on this.
>
> Thanks,
> Pankit
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] Client Cert Authentication behind an apache proxy
without headers
Posted by pankit thapar <th...@gmail.com>.
It's just an old set up that we don't want to change but what we want to do
is add client certification on the backend server as the certificates sit
on the backend server and not on the proxy.
On Jul 1, 2015 7:54 AM, "Marat Khalili" <mk...@rqc.ru> wrote:
> Obviously, SSL protects traffic from any tampering by proxy. However,
> proxy can pass traffic through as-is when asked with CONNECT method; it
> might solve your problem depending on what this problem is (why do you need
> proxy in the first place?).
>
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 01/07/15 17:23, pankit thapar wrote:
>
> Yes, the above link provides a directive to authenticate proxy which is
> not what I am looking for.
> I actually thought that I could use connect protol to create a tunnel from
> client through proxy to the backend server.
> What do you think about that?
>
> On Wed, Jul 1, 2015 at 5:05 AM, Daniel <df...@gmail.com> wrote:
>
>> You can make your proxy identify with a specific key-cert combination
>> with:
>> SSLProxyMachineCertificateFile
>>
>> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile
>>
>> But "passthrough" as you say, that's not how proxy works AFAIK.
>>
>> 2015-06-30 23:57 GMT+02:00 pankit thapar <th...@gmail.com>:
>>
>>> Hi,
>>>
>>> I wanted to know if there is a way to pass on the client cert as it is
>>> to a backend server through an apache proxy without using the SSL headers.
>>>
>>> Scenario:
>>> Client---https--->Proxy(:443)---https--->BackEnd(:PORT)
>>>
>>> The above figure is what I want to set up.
>>> So, basically I want apache proxy to act as a man in the middle and
>>> just forward the https request as it is.
>>>
>>> Please let me know if someone has an idea on this.
>>>
>>> Thanks,
>>> Pankit
>>>
>>
>>
>>
>> --
>> *Daniel Ferradal*
>> IT Specialist
>>
>> email dferradal at gmail.com
>> linkedin es.linkedin.com/in/danielferradal
>>
>
>
>
Re: [users@httpd] Client Cert Authentication behind an apache proxy
without headers
Posted by Marat Khalili <mk...@rqc.ru>.
Obviously, SSL protects traffic from any tampering by proxy. However,
proxy can pass traffic through as-is when asked with CONNECT method; it
might solve your problem depending on what this problem is (why do you
need proxy in the first place?).
--
With Best Regards,
Marat Khalili
On 01/07/15 17:23, pankit thapar wrote:
> Yes, the above link provides a directive to authenticate proxy which
> is not what I am looking for.
> I actually thought that I could use connect protol to create a tunnel
> from client through proxy to the backend server.
> What do you think about that?
>
> On Wed, Jul 1, 2015 at 5:05 AM, Daniel <dferradal@gmail.com
> <ma...@gmail.com>> wrote:
>
> You can make your proxy identify with a specific key-cert
> combination with:
> SSLProxyMachineCertificateFile
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile
>
>
> But "passthrough" as you say, that's not how proxy works AFAIK.
>
> 2015-06-30 23:57 GMT+02:00 pankit thapar <thapar.pankit@gmail.com
> <ma...@gmail.com>>:
>
> Hi,
>
> I wanted to know if there is a way to pass on the client cert
> as it is to a backend server through an apache proxy without
> using the SSL headers.
>
> Scenario:
> Client---https--->Proxy(:443)---https--->BackEnd(:PORT)
>
> The above figure is what I want to set up.
> So, basically I want apache proxy to act as a man in the
> middle and just forward the https request as it is.
>
> Please let me know if someone has an idea on this.
>
> Thanks,
> Pankit
>
>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com <http://gmail.com>
> linkedin es.linkedin.com/in/danielferradal
> <http://es.linkedin.com/in/danielferradal>
>
>
Re: [users@httpd] Client Cert Authentication behind an apache proxy
without headers
Posted by pankit thapar <th...@gmail.com>.
Yes, the above link provides a directive to authenticate proxy which is not
what I am looking for.
I actually thought that I could use connect protol to create a tunnel from
client through proxy to the backend server.
What do you think about that?
On Wed, Jul 1, 2015 at 5:05 AM, Daniel <df...@gmail.com> wrote:
> You can make your proxy identify with a specific key-cert combination with:
> SSLProxyMachineCertificateFile
>
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile
>
> But "passthrough" as you say, that's not how proxy works AFAIK.
>
> 2015-06-30 23:57 GMT+02:00 pankit thapar <th...@gmail.com>:
>
>> Hi,
>>
>> I wanted to know if there is a way to pass on the client cert as it is to
>> a backend server through an apache proxy without using the SSL headers.
>>
>> Scenario:
>> Client---https--->Proxy(:443)---https--->BackEnd(:PORT)
>>
>> The above figure is what I want to set up.
>> So, basically I want apache proxy to act as a man in the middle and just
>> forward the https request as it is.
>>
>> Please let me know if someone has an idea on this.
>>
>> Thanks,
>> Pankit
>>
>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>