How to pass a Client Certificate through a Reverse Proxy

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to pass a Client Certificate through a Reverse Proxy

Alexiuc, Daniel
Hi all,

I've configured Apache as a reverse proxy in the following kind of
arrangement:

Client's browser -------> Apache Reverse Proxy ------> External Server


When the External Server requires Basic Authentication or SSL from the
client, this works fine through the proxy. I have configured this using
a RewriteRule with the "Use Proxy" option like so:

RewriteRule ^/call/(.*)$ $1 [P]


However this setup does not seem to work when I want to pass a Client
Certificate from the browser to the External Server for Authentication.
I get the following error messages:

[Thu Mar 08 11:43:29 2007] [warn] Proxy client certificate callback:
(localhost:80) downstream server wanted client certificate but none are
configured
[Thu Mar 08 11:43:29 2007] [error] (502)Unknown error: proxy: pass
request body failed to 10.43.125.11:8443

It seems as if the reverse proxy isn't passing through the client
certificate from the browser. I realise that it is possible to setup the
reverse proxy with a client certificate, but I need the client
certificate to come from the client's browser.

Does anyone have any suggestions about how to configure the reverse
proxy to "pass through" client certificates?

Thanks for your help...

Daniel Alexiuc




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: How to pass a Client Certificate through a Reverse Proxy

Alexiuc, Daniel
Hi all,

Well it's been over a year since I asked this question, and I am still
getting emails from people running into the same problem who are unable
to find a solution or any information on the subject. So, for posterity,
here is what I know...   :)

As far as I know, it cannot be achieved.
 
It seems that the reverse proxy, while seeming to be sort of "invisible"
to the client, actually breaks the SSL connection and recreates a new
one to the external server, so passing on the client certificate is
impossible.

If your external server is a local one over which you have control, or
which you trust, then you can read the information from the certificate
at the proxy and pass on the information in the headers as a possible
alternative, but this is not secure.
 
The way client certificates and reverse proxies are usually used is that
people set up the reverse proxy on the same server as the "external
server" I described, use the proxy to do the client certificate
authentication, and then just pass on the request to the server without
the client certificate. In this situation, the "external server" must be
hidden behind the proxy, and they must trust each other.

I had to go with an alternative solution, using a cross-domain AJAX
request in the browser instead of a reverse proxy that solved my
problem.

Daniel

-----Original Message-----
From: Alexiuc, Daniel [mailto:[hidden email]]
Sent: Thursday, 08 March 2007 3:41 PM
To: [hidden email]
Subject: [users@httpd] How to pass a Client Certificate through a
Reverse Proxy

Hi all,

I've configured Apache as a reverse proxy in the following kind of
arrangement:

Client's browser -------> Apache Reverse Proxy ------> External Server


When the External Server requires Basic Authentication or SSL from the
client, this works fine through the proxy. I have configured this using
a RewriteRule with the "Use Proxy" option like so:

RewriteRule ^/call/(.*)$ $1 [P]


However this setup does not seem to work when I want to pass a Client
Certificate from the browser to the External Server for Authentication.
I get the following error messages:

[Thu Mar 08 11:43:29 2007] [warn] Proxy client certificate callback:
(localhost:80) downstream server wanted client certificate but none are
configured
[Thu Mar 08 11:43:29 2007] [error] (502)Unknown error: proxy: pass
request body failed to 10.43.125.11:8443

It seems as if the reverse proxy isn't passing through the client
certificate from the browser. I realise that it is possible to setup the
reverse proxy with a client certificate, but I need the client
certificate to come from the client's browser.

Does anyone have any suggestions about how to configure the reverse
proxy to "pass through" client certificates?

Thanks for your help...

Daniel Alexiuc




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to pass a Client Certificate through a Reverse Proxy

Matus UHLAR - fantomas
On 29.04.08 08:24, Alexiuc, Daniel wrote:
> Well it's been over a year since I asked this question, and I am still
> getting emails from people running into the same problem who are unable
> to find a solution or any information on the subject. So, for posterity,
> here is what I know...   :)
>
> As far as I know, it cannot be achieved.

> It seems that the reverse proxy, while seeming to be sort of "invisible"
> to the client, actually breaks the SSL connection and recreates a new
> one to the external server, so passing on the client certificate is
> impossible.

Yes, because a client can only send its certificate by using encrypted and
SIGNED connection, and only the client can sign the certifikate so server
can trust it. The proxy does not know the clients private key, otherwise the
connection would not be secure (or not in the way most people know that).

> If your external server is a local one over which you have control, or
> which you trust, then you can read the information from the certificate
> at the proxy and pass on the information in the headers as a possible
> alternative, but this is not secure.

the "not secure" usually means that the connection from proxy to a client
is (usually) non-ssl'ed, so anyone between proxy and server mman sniff the
data. Youcan use SSL connection from proxy to the server, but proxy will
send own certificate there, not client's one.

> The way client certificates and reverse proxies are usually used is that
> people set up the reverse proxy on the same server as the "external
> server" I described, use the proxy to do the client certificate
> authentication, and then just pass on the request to the server without
> the client certificate. In this situation, the "external server" must be
> hidden behind the proxy, and they must trust each other.

SSL is made up to avoid man-in-the-middle attack, and the reverse proxy IS
the man-in-the-middls. Either you trust it (and accept what it sends) or
don't use it.

> I had to go with an alternative solution, using a cross-domain AJAX
> request in the browser instead of a reverse proxy that solved my
> problem.

you probably could describe it somehow for us to know ...
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]