Mod_proxy and client certificate auth

Hi,

I'm trying to get mod_proxy to work as an SSL proxy using a client
certificate on the proxy to connect to a backend IIS server that's set up
to use any client certificate signed by my OpenSSL-based CA.

If I use a browser with the same certificate bundled up as a PKCS12
bundle, through the proxy, it all works, but what I really need is for
Apache/mod_ssl to use a locally stored version of the cert/key to connect,
then let the IIS server do its normal basic auth. That's one single
client cert/key for all externally connecting users (yes, I understand
the ramifaction- it's not for user authentication,) not a per-user proxy
cert.

Here's what I have in my Apache ssl.conf file:

RequestHeader set Front-End-Https "On"
CacheDisable *
SSLProxyEngine On
ProxyPass /app https://iisserver/app
ProxyPassReverse /app https://iisserver/app
SSLProxyMachineCertificatePath conf/cert
SSLEngine on

conf/cert contains user.pem, a .pem cert file with an RSA private key
catenated to it. I also have a hash link to the user.pem cert file.

Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to
bin/envvars.

Can anyone tell me what I'm doing wrong?

Thanks,

Paul
------------------------------------------------------------ -----------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_proxy and client certificate auth

------=_Part_6490_26291812.1149734373426
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

From everything I've heard and read, mod-proxy will not proxy HTTPS on the
back like what you are asking. You can have HTTPS on the front end but not
on the back. It will have to be HTTP to the back.

If you get this working I would LOVE to hear how you got it done!!!!



On 6/6/06, Paul D. Robertson wrote:
>
>
> Hi,
>
> I'm trying to get mod_proxy to work as an SSL proxy using a client
> certificate on the proxy to connect to a backend IIS server that's set up
> to use any client certificate signed by my OpenSSL-based CA.
>
> If I use a browser with the same certificate bundled up as a PKCS12
> bundle, through the proxy, it all works, but what I really need is for
> Apache/mod_ssl to use a locally stored version of the cert/key to connect,
> then let the IIS server do its normal basic auth. That's one single
> client cert/key for all externally connecting users (yes, I understand
> the ramifaction- it's not for user authentication,) not a per-user proxy
> cert.
>
> Here's what I have in my Apache ssl.conf file:
>
> RequestHeader set Front-End-Https "On"
> CacheDisable *
> SSLProxyEngine On
> ProxyPass /app https://iisserver/app
> ProxyPassReverse /app https://iisserver/app
> SSLProxyMachineCertificatePath conf/cert
> SSLEngine on
>
> conf/cert contains user.pem, a .pem cert file with an RSA private key
> catenated to it. I also have a hash link to the user.pem cert file.
>
> Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to
> bin/envvars.
>
> Can anyone tell me what I'm doing wrong?
>
> Thanks,
>
> Paul
>
> ------------------------------------------------------------ -----------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>



--
We are all slave to our own paradigm. -- Joshua Williams

------=_Part_6490_26291812.1149734373426
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

From everything I've heard and read, mod-proxy will not proxy HTTPS on
the back like what you are asking.  You can have HTTPS on the
front end but not on the back.  It will have to be HTTP to the
back.



If you get this working I would LOVE to hear how you got it done!!!!

Re: Mod_proxy and client certificate auth

On Wed, 7 Jun 2006, BJ Swope wrote:

> >From everything I've heard and read, mod-proxy will not proxy HTTPS on the
> back like what you are asking. You can have HTTPS on the front end but not
> on the back. It will have to be HTTP to the back.
>
> If you get this working I would LOVE to hear how you got it done!!!!
>
>

I'm getting end-to-end SSL, just the undesired (this time) effect of
having the client cert passed all the way through the chain, which I'd
expect folks to want as normal behavior.

Paul
------------------------------------------------------------ -----------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mod_proxy and client certificate auth

------=_Part_4928_1303467.1149809218370
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Guess I've been hearing wrong for 3 years now ;)

Time to go digging...

On 6/8/06, Paul D. Robertson wrote:
>
> On Wed, 7 Jun 2006, BJ Swope wrote:
>
> > >From everything I've heard and read, mod-proxy will not proxy HTTPS on
> the
> > back like what you are asking. You can have HTTPS on the front end but
> not
> > on the back. It will have to be HTTP to the back.
> >
> > If you get this working I would LOVE to hear how you got it done!!!!
> >
> >
>
> I'm getting end-to-end SSL, just the undesired (this time) effect of
> having the client cert passed all the way through the chain, which I'd
> expect folks to want as normal behavior.
>
> Paul
>
> ------------------------------------------------------------ -----------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> http://fora.compuwar.net Infosec discussion boards
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>



--
We are all slave to our own paradigm. -- Joshua Williams

------=_Part_4928_1303467.1149809218370
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Guess I've been hearing wrong for 3 years now ;)



Time to go digging...

Re: Mod_proxy and client certificate auth

On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote:
> I'm trying to get mod_proxy to work as an SSL proxy using a client
> certificate on the proxy to connect to a backend IIS server that's set up
> to use any client certificate signed by my OpenSSL-based CA.
>
> If I use a browser with the same certificate bundled up as a PKCS12
> bundle, through the proxy, it all works, but what I really need is for
> Apache/mod_ssl to use a locally stored version of the cert/key to connect,
> then let the IIS server do its normal basic auth. That's one single
> client cert/key for all externally connecting users (yes, I understand
> the ramifaction- it's not for user authentication,) not a per-user proxy
> cert.

There's no way to do this with mod_ssl without modifying the source.
With httpd 2.2.x (and also I believe mod_ssl-2.8-for-1.3) what you can
do is to pass through the client's SSL certificate (in PEM format) as a
request header to the backend, then extract that on the backend server
and then verify that against a CA cert independently; see
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header and the
%{...}s stuff.

That is the traditional approach used when passing through client certs
to Tomcat etc, and doesn't require an SSL connection between proxy and
backend. Doing this with an IIS backend might be a challenge.

> Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to
> bin/envvars.

That affects handling of rfc3820 "proxy certificates" (which you not
using unless you are doing some serious PKI voodoo ;).

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org