httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrea Palmieri" <palmi...@eng.it>
Subject Re: [users@httpd] SSL reverse proxy question
Date Fri, 22 Apr 2005 10:36:28 GMT
Thanks a lot


------------------------------------------------
Andrea Palmieri
Product Development
Engiweb Security
Tel. +39 06 49201395
palmieri@eng.it
------------------------------------------------
  ----- Original Message ----- 
  From: Niccolo' Manfrini 
  To: users@httpd.apache.org 
  Sent: Friday, April 22, 2005 12:08 PM
  Subject: Re: [users@httpd] SSL reverse proxy question


  Andrea Palmieri wrote: 
    I'am using Apache as a reverse proxy to hide several backend servers which host several
application

    https://myapache/name1/application_a -> http://ipserver1/application_a
    https://myapache/name1/application_b -> http://ipserver1/application_b
    https://myapache/name2/application_c -> http://ipserver2/application_c


    I'am using SSL client authentication with x509 certificates to authenticate users.

    I was wondering if I can use different CA certificate files (one for each back-end server)
to authenticate users' client certificates. 
    example 
    users accessing application_a are authenticated using CertCA1
    users accessing application_b are authenticated using CertCA1
    users accessing application_c are authenticated using CertCA2

    The  SSLCACertificateFile directive is used to set CA certificate files, but it can't
be used within a <Location> context !

    Any suggestion or idea is really appreciated
    Andrea   
  Maybe you can add to your dns service configuration three CNAME values that point to your
reverse proxy server name. For example:

  application_a.mydomain.com, application_b.mydomain.com, application_c.mydomain.com
  should resolve to: reverse_proxy.mydomain.com

  Then in append in your reverse proxy httpd.conf  three VirtualHosts definitions:

  <VirtualHost *:443>
  ServerName application_a.mydomain.com
  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  ProxyPass / http://myinternal_server/application_a/
  ProxyPassReverse / http://myinternal_server/application_a/
  </VirtualHost>

  <VirtualHost *:443>
  ServerName application_b.mydomain.com
  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  ProxyPass / http://myinternal_server/application_b/
  ProxyPassReverse / http://myinternal_server/application_b/
  </VirtualHost>

  <VirtualHost *:443>
  ServerName application_c.mydomain.com
  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  ProxyPass / http://myinternal_server/application_c/
  ProxyPassReverse / http://myinternal_server/application_c/
  </VirtualHost>


  ------------------------------------------ 
  Niccolo' Manfrini
  Protechta - Information Security 
  Tel. +39 0521 2021
  Fax. +39 0521 207461
  http://www.protechta.it/





Mime
View raw message