ReverseProxy mTLS in backend

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ReverseProxy mTLS in backend

Paul van Weller

I have configured apache (2.4.6 on RHEL7) as reverse proxy, forwarding requests to a tomcat 8.5 (HTTP connector) which requests a client certificate. 

All works as long as I have the CA certificate of the client certificate used by the apache rp in the configured truststore at the tomcat end.

The thing is that I would like to put only the specific client certificate in the truststore rather than the CA of the certificate. 

When I remove the CA (of the client certificate apache is using to authenticate towards tomcat) from the tomcat truststore and instead add the public certificate apache is supposed to use to authenticate, apache is not willing to pick the right client certificate and backend communication fails. 

   AH02269: Proxy client certificate callback: ( no client certificate found!?

I was hoping I could use SSLProxyMachineCertificateChainFile to tell apache that it is ok to use the certificate configured as per SSLProxyMachineCertificateFile but this does not work either. 

Any hints are highly appreciated. 

Best regards