Guenther, Christian wrote:
Hi List,
I have an application server in an internal DMZ for which I use an Apache2 as a
reverse proxy. The overall communication works flawlessly. Clients connect to
the Apache and it passes the communication requests through to my internal
application server - by the way it is an SAP XI.
Now I added SSL to my setup and this too works perfectly. A client uses SSL to
contact the application server. The Apache as reverse proxy terminates the SSL
connection and then connects to the internal application server via SSL.
But now I want the external client to authenticate itself to the application server via client certificate and this won't work at all. I mean as I see it in normal SSL communication the client certificate is taken by the apache wich will not use it because he is not configured to check for client certificates. The application server again is supposed to authenticate the client via its certificate which fails because the Apache does not pass the certificate through to him.
Is there any way of configuring the apache to terminate the SSL connection but pass the client certificate from the outside client to the internal application server???
Thanks in advance,
Christian
Ps.: I have added my httpd.conf part that deals with the XI backend
<VirtualHost 172.30.210.210>
ServerName web004.externerhost.de
ServerAdmin [EMAIL PROTECTED]
# This virtual host does not serve any documents itself but only proxy
ProxyRequests Off
ProxyPreserveHost On
RequestHeader set ClientProtocol HTTPS
# Set additional header for letting IE 6 SP2 accept 3rd party cookies
# in an iframe. See: http://msdn.microsoft.com/library/default.asp?url=
# /workshop/security/privacy/privacy_ovw_entry.asp for details
Header add P3P CP="NOI"
SSLEngine On
SSLCertificateFile /etc/apache2/ssl.crt/web004_cert.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/web004_key.pem
SSLProxyEngine On
# Forward all requests for this host to SAP XI
ProxyPass / https://ux210210.internerhost.lan:8007/
# Rewrite HTTP 302 object moved redirects from SAP XI
ProxyPassReverse / https://ux210210.internerhost.lan:8007/
</VirtualHost>
if you don't have the frontend apache configured to check for client
certificates i don't see how you can pass the certificates to the
application server.
it sounds as if you will need a "double" verification - one from the
frontend and one from the backend.
we have a setup where we pass the certificate (escaped) to the proxied
server as a RequestHeader (we use mod_rewrite). the verification then
happens at the frontend and the communication (in our case) between
frontend and backend is http, not https.
./allan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
