Apache2 [SOLVED]: Configure Apache Client Certificate Authentication for proxy

Apache2 [SOLVED]: Configure Apache Client Certificate Authentication for proxy

Home Forums Apache2 Apache2 [SOLVED]: Configure Apache Client Certificate Authentication for proxy

Tagged: ,

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #36514

    Anonymous

    QuestionQuestion

    I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below

    <VirtualHost *:zzzz>
           SSLEngine on
           SSLCertificateFile /path/to/server.crt
           SSLCertificateKeyFile /path/to/server.key
           SSLCACertificateFile /path/to/ca.crt
           SSLProxyEngine on
           SSLProxyVerify none
           SSLProxyCheckPeerCN off
           SSLProxyCheckPeerName off
           SSLProxyCheckPeerExpire off
           <Proxy balancer://api_server>
               BalancerMember https://xx.xx.xx.xx:yyyy
               BalancerMember https://xx.xx.xx.xx:yyyy
           </Proxy>
           ProxyPass / balancer://api_server/
    </VirtualHost>
    

    The problem is that when a client request apache, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.

    Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.

    #36515

    Anonymous

    Accepted AnswerAnswer

    Transforming the comment into an answer since it solved the OP’s question.

    The user talks to Apache, then Apache talks to the balanced machines. That’s the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.

    Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache

    Source: https://stackoverflow.com/questions/47936249/configure-apache-client-certificate-authentication-for-proxy
    Author: Nic3500
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.