logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache reverse proxy to IIS - passing an x509 certificate
Author
Fiend



Joined: 25 May 2011
Posts: 3

PostPosted: Wed 25 May '11 17:13    Post subject: Apache reverse proxy to IIS - passing an x509 certificate Reply with quote

Hello,

I have an Apache reverse proxy set up. I have an IIS server on the backend with a site which must be HTTPS and must require client certificates (x509). It seems like the proxy is working great, but the client certificate is not getting passed along the HTTPS request from proxy to IIS.

We keep getting 403.7 (Client certificate required) errors. Does anyone know how I can bridge the client certificate from Apache reverse proxy to IIS?

Our Apache proxy is not set up to require client certs, the IIS website is. What I would expect is that when we make a web request that goes through the proxy to the IIS server, that we would get challenged for a client cert for the IIS website (its set to require client certs like it always has) and that client cert information would be passed along the HTTPS request. We have to be able to programatically access the x509 cert through code on the IIS website, thats why we need to have the cert passed along.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 26 May '11 15:16    Post subject: Reply with quote

The easiest way is to configure the vhost you run as reverse proxy with SSL take the same certs you use in your IIS. That would it make also possible not to have SSL from apache to IIS (if wanted).

client<--->apache_with_ssl<--->IIS_with/out_SSL
Back to top
Fiend



Joined: 25 May 2011
Posts: 3

PostPosted: Thu 26 May '11 18:33    Post subject: Reply with quote

Thanks for the reply James. The problem I am having is that the .NET code on the server the proxy is directing to needs to programatically access the x509 cert that would be included in the HTTPS request.

I think what happens is that when a client makes a request to our backend server, an HTTPS connection is made to the proxy, then a new SSL connection is established from proxy to backend... causing the x509 cert to be lost from the original connection.

I need a way to retain that x509 cert from the original request in the second request that gets made from proxy to backend server.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 27 May '11 9:47    Post subject: Reply with quote

Well this might work with forwarding the headers.

example

Code:

NameVirtualHost *:1981
<VirtualHost *:1981>
   ServerName localhost
 
   ErrorLog C:/apache22/error.log
   CustomLog C:/apache22/access.log combined
 
   # activate HTTPS on the reverse proxy
   SSLEngine On
   SSLCertificateFile   C:/apache22/ssl/mycert.crt
   SSLCertificateKeyFile C:/apache22/ssl/mycert.key
 
   # activate the client certificate authentication
   SSLCACertificateFile C:/apache22/ssl/client-accepted-ca-chain.crt
   SSLVerifyClient require
   SSLVerifyDepth 2
 
   <Proxy *>
     AddDefaultCharset Off
     Order deny,allow
     Allow from all
   </Proxy>
 
   # initialize the special headers to a blank value to avoid http header forgeries
   RequestHeader set SSL_CLIENT_S_DN    ""
   RequestHeader set SSL_CLIENT_I_DN    ""
   RequestHeader set SSL_SERVER_S_DN_OU ""
   RequestHeader set SSL_CLIENT_VERIFY  ""
 
   <Location />
     # add all the SSL_* you need in the internal web application
     RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
     RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
     RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
     RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
 
     ProxyPass          http://IIS_backendserver/
     ProxyPassReverse   http://IIS_backendserver/
   </Location>
</VirtualHost>


Give it a try cause I don't have an IIS with x.509
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 30 May '11 6:29    Post subject: Reply with quote

Remember, the reverse proxy is like a WEB client for the IIS server, don't need the certs or private keys from the internal Apache server, only the CA.

For configuring Apache, mod_proxy needs to know the Certification Authority (CA), wich signed the certificates from the remote webservers.

The directives are SSLProxyCACertificateFile , or SSLProxyCACertificatePath .

see:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycacertificatefile
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycacertificatepath

In the mod_security handbook is also info found, with an example conf:

http://adolfomaltez.wordpress.com/2011/05/29/apache-reverse-proxy-modsecurity/


Steffen
Back to top
Fiend



Joined: 25 May 2011
Posts: 3

PostPosted: Wed 01 Jun '11 19:27    Post subject: Reply with quote

We are still getting nothing but 403.7 errors (SSL client certificate is required). Does anything look wrong or missing in our config? Also, I wanted to note again that the internal server behind the proxy is an IIS server not Apache.
Code:

<VirtualHost 192.168.140.190:443>

   ServerAdmin admin@admin.com
   ServerName www.ourserver.com:443
   ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_error.log"
   TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_access.log"

   #Reverse Proxy
   ProxyRequests Off
   <Proxy *>
       Order deny,allow
       Allow from all
   </Proxy>

          ProxyPass / https://www.ourserver.com/
   ProxyPassReverse / https://www.ourserver.com/
   ProxyPreserveHost on

   SSLProxyEngine on   

   SSLProxyCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/proxyCA.pem"
   SSLProxyCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/crl/crl.pem"
   SSLProxyVerify require
   SSLProxyVerifyDepth 4

   SSLOptions +ExportCertData +StdEnvVars

   #   Enable/Disable SSL for this virtual host.
   SSLEngine on

   SSLCipherSuite HIGH:+TLSv1:+EXP

   #   Server Certificate:
   SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.pem"

   #   Server Private Key:
   SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"

   #   Server Certificate Chain:
   SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/serverCertChain.pem"

   #   Certificate Authority (CA):
   SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/serverCA.pem"

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars +ExportCertData
   </FilesMatch>
   <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
       SSLOptions +StdEnvVars +ExportCertData
   </Directory>

   BrowserMatch ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

   CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/proxy_ssl_request.log" \
             "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


mod note: added bb tags
Back to top
nel100



Joined: 19 Jan 2012
Posts: 1
Location: US,NY

PostPosted: Thu 19 Jan '12 17:45    Post subject: Reply with quote

Hi Fiend,
Have you solved this problem. I'm facing a similar problem.
Thanks
Back to top
needhelp101



Joined: 01 Feb 2014
Posts: 1
Location: sterling va

PostPosted: Mon 03 Feb '14 17:37    Post subject: Reply with quote

I have the same problem. Has anybody solved this?

My backend app is aspx and needs the client certs. I need a reverse proxy solution, apache or otherwise, which forwards the client cert to the backend IIS.

I have apache and IIS both requiring clients certs separately. I have the reverse proxy working with https. I am currently stuck trying to get the reverse proxy to forward client certs to IIS.
Back to top
wurstsalat



Joined: 12 Oct 2014
Posts: 1

PostPosted: Sun 12 Oct '14 19:48    Post subject: And one more user asking for a solution Reply with quote

Did anyone ever solve this issue?
Back to top


Reply to topic   Topic: Apache reverse proxy to IIS - passing an x509 certificate View previous topic :: View next topic
Post new topic   Forum Index -> Apache