| Author |
|
Fiend
Joined: 25 May 2011
Posts: 3
|
 Posted: Wed 25 May '11 17:13 Post subject: Apache reverse proxy to IIS - passing an x509 certificate |
 |
|
Hello,
I have an Apache reverse proxy set up. I have an IIS server on the backend with a site which must be HTTPS and must require client certificates (x509). It seems like the proxy is working great, but the client certificate is not getting passed along the HTTPS request from proxy to IIS.
We keep getting 403.7 (Client certificate required) errors. Does anyone know how I can bridge the client certificate from Apache reverse proxy to IIS?
Our Apache proxy is not set up to require client certs, the IIS website is. What I would expect is that when we make a web request that goes through the proxy to the IIS server, that we would get challenged for a client cert for the IIS website (its set to require client certs like it always has) and that client cert information would be passed along the HTTPS request. We have to be able to programatically access the x509 cert through code on the IIS website, thats why we need to have the cert passed along. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 26 May '11 15:16 Post subject: |
|
|
The easiest way is to configure the vhost you run as reverse proxy with SSL take the same certs you use in your IIS. That would it make also possible not to have SSL from apache to IIS (if wanted).
client<--->apache_with_ssl<--->IIS_with/out_SSL |
|
| Back to top |
|
Fiend
Joined: 25 May 2011
Posts: 3
|
| Posted: Thu 26 May '11 18:33 Post subject: |
|
|
Thanks for the reply James. The problem I am having is that the .NET code on the server the proxy is directing to needs to programatically access the x509 cert that would be included in the HTTPS request.
I think what happens is that when a client makes a request to our backend server, an HTTPS connection is made to the proxy, then a new SSL connection is established from proxy to backend... causing the x509 cert to be lost from the original connection.
I need a way to retain that x509 cert from the original request in the second request that gets made from proxy to backend server. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 27 May '11 9:47 Post subject: |
|
|
Well this might work with forwarding the headers.
example
| Code: |
NameVirtualHost *:1981
<VirtualHost *:1981>
ServerName localhost
ErrorLog C:/apache22/error.log
CustomLog C:/apache22/access.log combined
# activate HTTPS on the reverse proxy
SSLEngine On
SSLCertificateFile C:/apache22/ssl/mycert.crt
SSLCertificateKeyFile C:/apache22/ssl/mycert.key
# activate the client certificate authentication
SSLCACertificateFile C:/apache22/ssl/client-accepted-ca-chain.crt
SSLVerifyClient require
SSLVerifyDepth 2
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
<Location />
# add all the SSL_* you need in the internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass http://IIS_backendserver/
ProxyPassReverse http://IIS_backendserver/
</Location>
</VirtualHost>
|
Give it a try cause I don't have an IIS with x.509 |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
Fiend
Joined: 25 May 2011
Posts: 3
|
| Posted: Wed 01 Jun '11 19:27 Post subject: |
|
|
We are still getting nothing but 403.7 errors (SSL client certificate is required). Does anything look wrong or missing in our config? Also, I wanted to note again that the internal server behind the proxy is an IIS server not Apache.
| Code: |
<VirtualHost 192.168.140.190:443>
ServerAdmin admin@admin.com
ServerName www.ourserver.com:443
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_access.log"
#Reverse Proxy
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://www.ourserver.com/
ProxyPassReverse / https://www.ourserver.com/
ProxyPreserveHost on
SSLProxyEngine on
SSLProxyCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/proxyCA.pem"
SSLProxyCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/crl/crl.pem"
SSLProxyVerify require
SSLProxyVerifyDepth 4
SSLOptions +ExportCertData +StdEnvVars
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite HIGH:+TLSv1:+EXP
# Server Certificate:
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.pem"
# Server Private Key:
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"
# Server Certificate Chain:
SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/serverCertChain.pem"
# Certificate Authority (CA):
SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/serverCA.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
mod note: added bb tags |
|
| Back to top |
|
nel100
Joined: 19 Jan 2012
Posts: 1
Location: US,NY
|
| Posted: Thu 19 Jan '12 17:45 Post subject: |
|
|
Hi Fiend,
Have you solved this problem. I'm facing a similar problem.
Thanks |
|
| Back to top |
|
needhelp101
Joined: 01 Feb 2014
Posts: 1
Location: sterling va
|
| Posted: Mon 03 Feb '14 17:37 Post subject: |
|
|
I have the same problem. Has anybody solved this?
My backend app is aspx and needs the client certs. I need a reverse proxy solution, apache or otherwise, which forwards the client cert to the backend IIS.
I have apache and IIS both requiring clients certs separately. I have the reverse proxy working with https. I am currently stuck trying to get the reverse proxy to forward client certs to IIS. |
|
| Back to top |
|
wurstsalat
Joined: 12 Oct 2014
Posts: 1
|
| Posted: Sun 12 Oct '14 19:48 Post subject: And one more user asking for a solution |
|
|
| Did anyone ever solve this issue? |
|
| Back to top |
|
