====== Tricks to do client certificate authentications behind a reverse proxy ======
uid=kerphi
title=Tricks to do client certificate authentications behind a reverse proxy
description=This article shows how a reverse proxy can propagate X509 client certificate data to a backend server [...]
category=software
language=en
align=right
The most classical reverse proxies utilizations are:
* The reverse proxy is located on a DMZ (public Internet exposed area)
* Web applications are located on a VLAN (private network)
* The reverse proxy reads the initial request, then it initiates a similar (**but new**) request to the internal Web applications.
The problem we are tackling in this article is about X509 client certificate authentications. By definition and for security, a HTTPS request clear content cannot be spied. This is why when putting a reverse proxy behind the client and the internal web application, the HTTPS stream will be broken and we will loose all the client certificate data.
Here is some tips to forward without many efforts the client certificate data to the web application:
===== Between apache and apache =====
In this situation, the reverse proxy is an apache and the internal web application is also an apache. The tip is to use the ''headers'' modules to manually forward the wanted client cert data. Of course for security reasons, you have to configure your reverse proxy to only allow wanted client certificate (based on the AC for example).
On debian, to activate the ''headers'' module, just type this command:
sudo a2enmod headers
Then you have to edit the appropriate reverse proxy virtual host directive this way:
Listen 1981
NameVirtualHost *:1981
ServerName localhost
ErrorLog /var/log/apache2/1981.error.log
CustomLog /var/log/apache2/1981.access.log combined
# activate HTTPS on the reverse proxy
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mycert.crt
SSLCertificateKeyFile /etc/apache2/ssl/mycert.key
# activate the client certificate authentication
SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt
SSLVerifyClient require
SSLVerifyDepth 2
AddDefaultCharset Off
Order deny,allow
Allow from all
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass http://localhost:50161/
ProxyPassReverse http://localhost:50161/
The important directives are the ''RequestHeader'' lines. You can found a complete list of the SSL environement variables at the [[http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars|online apache documentation]].
===== Between apache and tomcat =====
In this situation, the reverse proxy is an apache again and the internal web application is a tomcat server. The tip is to use the AJP protocol. Once your [[:articles:configure-mod_proxy_ajp-with-tomcat:start|tomcat is configured with an AJP connector]], you just have to configure HTTPS with a special option (''+ExportCertData'') on your apache reverse proxy.
Listen 1979
NameVirtualHost *:1979
ServerName localhost
ErrorLog /var/log/apache2/1979.error.log
CustomLog /var/log/apache2/1979.access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mycert.crt
SSLCertificateKeyFile /etc/apache2/ssl/mycert.key
SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt
SSLVerifyClient optional
SSLVerifyDepth 2
# this option is mandatory to force apache to forward the client cert data to tomcat
SSLOptions +ExportCertData
AddDefaultCharset Off
Order deny,allow
Allow from all
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
{{tag>article computing reverse proxy certificate x509 authentication ajp apache tomcat}}
~~DISCUSSION~~