Proxying client certificate

Proxying client certificate

am 04.10.2002 08:46:54 von mapp

Hello all,

I'm trying to do the following and I don't success:

I want to authenticate users against a Apache 2.0.40 proxy using SSL wi=
th client
certificate authentication. Beyond the proxy, there is a Web server in
militarized zone and I want to forward the X.509v3 user certificate to =
this Web
server, in order to perform access control.

I have tried to configure the proxy with SSL and client authentication =
using
certs and the Web server with SSL (without authentication) and, of cour=
se, this
doesn't work since two different SSL contexts are established: Browser-=
>Proxy
and Proxy->SSL, so the information about the SSL channel in the Web se=
rver has
nothing to do with the browser -> the server doesn't receive the user
certificate.

I have also tried to configure the proxy with SSL and client authentica=
tion with
certs and the Web server without SSL. This works but, obviously, the in=
formation
about the SSL channel established between the browser and the proxy is =
not
forwarded to the Web server.

I've set "SSLOptions" to "+StdEnvVars +CompatEnvVars +ExportCertData" =
in the
proxy and I wonder if it is possible to forward the environment variabl=
es from
the proxy to the Web server.

Can any of you give me any ideas?

Thanks in advance,

Miguel =C1ngel Pe=F1a.


=

Re: Proxying client certificate

am 04.10.2002 13:05:31 von Manon Goo

--==========2147493761==========
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I do not know if this works
but I would try using mod_rewrite
and rewrite
/ to http://user@realhost/

Where user is extracted from the x509 DN



--On Freitag, 4. Oktober 2002 8:46 Uhr +0200 mapp@fnmt.es wrote:

>
>
>
> Hello all,
>
> I'm trying to do the following and I don't success:
>
> I want to authenticate users against a Apache 2.0.40 proxy using SSL with
> client certificate authentication. Beyond the proxy, there is a Web
> server in militarized zone and I want to forward the X.509v3 user
> certificate to this Web server, in order to perform access control.
>
> I have tried to configure the proxy with SSL and client authentication
> using certs and the Web server with SSL (without authentication) and, of
> course, this doesn't work since two different SSL contexts are
> established: Browser->Proxy and Proxy->SSL, so the information about the
> SSL channel in the Web server has nothing to do with the browser -> the
> server doesn't receive the user certificate.
>
> I have also tried to configure the proxy with SSL and client
> authentication with certs and the Web server without SSL. This works but,
> obviously, the information about the SSL channel established between the
> browser and the proxy is not forwarded to the Web server.
>
> I've set "SSLOptions" to "+StdEnvVars +CompatEnvVars +ExportCertData"
> in the proxy and I wonder if it is possible to forward the environment
> variables from the proxy to the Web server.
>
> Can any of you give me any ideas?
>
> Thanks in advance,
>
> Miguel =C1ngel Pe=F1a.
>
>
>
>


--==========2147493761==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE9nXX74N5kPCP8wnsRAscdAJ9e8NRXJ5mDKsHYnLIqRvR7YC6URwCg qtYQ
uIZvbFnsv6D/rIO3qAPza0I=
=Ntwj
-----END PGP SIGNATURE-----

--==========2147493761==========--

Re: Proxying client certificate

am 04.10.2002 15:49:58 von mapp

--0__=jNMrhZCLzrboWG3kQWBF0dbPeErcuYaEh1k4A3HsNmUY96Jpb9rQnT 7l
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable




Thanks a lot!

It's very helpful for me.

Regards,

Miguel =C1ngel.






Manon Goo
04/10/2002 13:05

Por favor, responda a modproxy-dev@apache.org; Por favor, responda a Ma=
non Goo


Destinatarios: modproxy-dev@apache.org
CC: (cci: Miguel =C1ngel Pe=F1a Piñón/Madrid/FNMT)

Asunto: Re: Proxying client certificate


=

I do not know if this works
but I would try using mod_rewrite
and rewrite
/ to http://user@realhost/

Where user is extracted from the x509 DN



--On Freitag, 4. Oktober 2002 8:46 Uhr +0200 mapp@fnmt.es wrote:

>
>
>
> Hello all,
>
> I'm trying to do the following and I don't success:
>
> I want to authenticate users against a Apache 2.0.40 proxy using SSL =
with
> client certificate authentication. Beyond the proxy, there is a Web
> server in militarized zone and I want to forward the X.509v3 user
> certificate to this Web server, in order to perform access control.
>
> I have tried to configure the proxy with SSL and client authenticatio=
n
> using certs and the Web server with SSL (without authentication) and,=
of
> course, this doesn't work since two different SSL contexts are
> established: Browser->Proxy and Proxy->SSL, so the information about=
the
> SSL channel in the Web server has nothing to do with the browser -> t=
he
> server doesn't receive the user certificate.
>
> I have also tried to configure the proxy with SSL and client
> authentication with certs and the Web server without SSL. This works =
but,
> obviously, the information about the SSL channel established between =
the
> browser and the proxy is not forwarded to the Web server.
>
> I've set "SSLOptions" to "+StdEnvVars +CompatEnvVars +ExportCertData=
"
> in the proxy and I wonder if it is possible to forward the environmen=
t
> variables from the proxy to the Web server.
>
> Can any of you give me any ideas?
>
> Thanks in advance,
>
> Miguel =C1ngel Pe=F1a.
>
>
>
>

=

--0__=jNMrhZCLzrboWG3kQWBF0dbPeErcuYaEh1k4A3HsNmUY96Jpb9rQnT 7l
Content-type: application/octet-stream;
name="att1.unk"
Content-Disposition: attachment; filename="att1.unk"
Content-transfer-encoding: base64

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBH IHYxLjAuNyAoRGFy
d2luKQ0KDQppRDhEQlFFOW5YWDc0TjVrUENQOHduc1JBc2NkQUo5ZThOUlhK NW1ES3NIWW5MSXFS
dlI3WUM2VVJ3Q2dxdFlRDQp1SVp2YkZuc3Y2RC9ySU8zcUFQemEwST0NCj1O dHdqDQotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0NCg0K

--0__=jNMrhZCLzrboWG3kQWBF0dbPeErcuYaEh1k4A3HsNmUY96Jpb9rQnT 7l--