The most classical reverse proxies utilizations are:
The problem we are tackling in this article is about X509 client certificate authentications. By definition and for security, a HTTPS request clear content cannot be spied. This is why when putting a reverse proxy behind the client and the internal web application, the HTTPS stream will be broken and we will loose all the client certificate data.
Here is some tips to forward without many efforts the client certificate data to the web application:
In this situation, the reverse proxy is an apache and the internal web application is also an apache. The tip is to use the headers
modules to manually forward the wanted client cert data. Of course for security reasons, you have to configure your reverse proxy to only allow wanted client certificate (based on the AC for example).
On debian, to activate the headers
module, just type this command:
sudo a2enmod headers
Then you have to edit the appropriate reverse proxy virtual host directive this way:
Listen 1981 NameVirtualHost *:1981 <VirtualHost *:1981> ServerName localhost ErrorLog /var/log/apache2/1981.error.log CustomLog /var/log/apache2/1981.access.log combined # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile /etc/apache2/ssl/mycert.crt SSLCertificateKeyFile /etc/apache2/ssl/mycert.key # activate the client certificate authentication SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt SSLVerifyClient require SSLVerifyDepth 2 <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> # initialize the special headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" RequestHeader set SSL_SERVER_S_DN_OU "" RequestHeader set SSL_CLIENT_VERIFY "" <Location /> # add all the SSL_* you need in the internal web application RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" ProxyPass http://localhost:50161/ ProxyPassReverse http://localhost:50161/ </Location> </VirtualHost>
The important directives are the RequestHeader
lines. You can found a complete list of the SSL environement variables at the online apache documentation.
In this situation, the reverse proxy is an apache again and the internal web application is a tomcat server. The tip is to use the AJP protocol. Once your tomcat is configured with an AJP connector, you just have to configure HTTPS with a special option (+ExportCertData
) on your apache reverse proxy.
Listen 1979 NameVirtualHost *:1979 <VirtualHost *:1979> ServerName localhost ErrorLog /var/log/apache2/1979.error.log CustomLog /var/log/apache2/1979.access.log combined SSLEngine On SSLCertificateFile /etc/apache2/ssl/mycert.crt SSLCertificateKeyFile /etc/apache2/ssl/mycert.key SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt SSLVerifyClient optional SSLVerifyDepth 2 # this option is mandatory to force apache to forward the client cert data to tomcat SSLOptions +ExportCertData <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ </VirtualHost>
Discussion
Hello,
I have a problem with client certificate authentication on Apache configured as a reverse proxy. I have followed your tricks to do client certificate authentications behind a reverse proxy and it doesn't work for me. Here is a short description of my problem:
Internet ===(http/https)=====⇒ Apache 2 (RP) Server ======(https)===⇒ IIS Server
The client authentication works on the RP but the certificate informations aren't forwaded to the IIS Server. Here is the configuration of the apache vhosts:
I would be very grateful if you could give me a piece of advice… Thanks
sebastien
To debug this problem, I think you should:
Could you please show me how to config with “Between Apache and IIS Server”.
I am in a situation just like Sébastien, I used his configuration code, and tried your advice, however my code in IIS server still can not read the Client Certificate.
Please help me, I really need this to work. Thanks very much.
Thanks for the answer. I'll try this.
Sébastien
Hi Sébastien,
Did you ever get resolution on this issue? We are trying to do the same thing, Apache to IIS using SSL and cannot get it to proxy that way. Did you ever get yours working? Are you willing to share what you did?
Thanks,
Kevin
Hi, Guys kindly advice me! I wanna reverse to another web server as ur guys. but the problem is that web server(where will be reversed) does not belong to me. I cannot do anything in that web server. But My task is to evaluate wethere that client certificate are correct by authentication of reverse server.
My question is How I can get response from reversing server by sending them my client certificate. I need know the respond if reverse server. Thanks !!!
You saved my life :) Thx
Hi, My question is : why the first apache proxy send to http://localhost:50161/ and the other apache proxy listen in port 1979 and https. How is possible ??
For the moment, my second proxy received the REQUEST header but AJP not deal the header and i have a message : java.lang.runtime.exception : Client certificat reuqired ……
Hi guys!! Very good arcticle about trick with apache proxy, but tell me, anyone had experience with nginx and apache/IIS?
So the idea is - client—ssl/certificate—> Nginx —-ssl/certificate—>Apache/IIS.
They need to use the same certificate on both nginx authorization and apache. Trying to figure out how to make it possible, but confused with headers which i need to set to make apache accept/IIS certificate. May be you have any ideas how to work this out?
The problem with IIS/Apache is that the proxy request actually sets up a separate HTTPS session between Apache and IIS using the Apache server certificate as the basis for the SSL tunnel.
Apache/Tomcat is a special case with the AJP connector, because the AJP connector is specifically written to allow forwarding of the client SSL information.
I'm attempting to configure apache to do something similar…I'm using apache provided by Oracle (version 2.0), and I get the following error when trying the above trick:
Unrecognized Header or RequestHeader directive %s
I've verified the vars that I'm using do indeed exist for 2.0, and it seems to not complain until it load the RequestHeaders in a Location section. It doesn't complain about the ones used under "# initialize the special headers to a blank value to avoid http header forgeries"
HI, iam using nginx as my webserver & reverse proxy and thin is my application server. ihave installed my ssl certificate in proxy server. the problem is–We have purchase "Premium EV SSL (2 Years)(annual) certificate" for our domain "www.mysite.com". when we type "www.mysite.com" in url it opens site with green coloured "https:" with lock symbol, but when we login to our site with a username and password-it doesn't show that green coloured "https". It shows "https" in black colur and lock symbol with orange coloured triangle. when i click on that lock it displays the following message –"Your connection to www.mysite.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page." why and What is the problem? where to make changes to display green coloured "https" in the address bar. In this case how to install ssl certificate.
Your problem is related to HTTP ressources (javascript, css ..) which are included in your HTTPS page. Try to look the HTML source code and search for http string (without s)