git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Apache as a Mutual SSL enabled Forward Proxy


I was able to get it work by setting the SSL artifacts at the clients end but not in the Apache server. I thought SSL is applied at Server to Apache and Apache to Client is non-encrypted. So I have to place the certs and keys at the Apache Server. 

Is it that Apache forward proxy doing just a passthrough and connection is encrypted from Client to Server?

Thanks,
Eranda

On Wed, May 30, 2018 at 5:57 AM, Miguel González <miguel_3_gonzalez@xxxxxxxx.invalid> wrote:
Never heard of mutual ssl enabled before. What is the use case for this setup?

Would it work for having Nginx SSL offloading to Apache? Any docs?



On 05/24/18 10:00 PM, William A Rowe Jr wrote:
Your next thing to test, from a vanilla/completely reset browser, would be
to load up these corresponding cert+key and ca chain files into that blank
slate, and ensure that these credentials actually work against your backend;

  SSLProxyMachineCertificateFile D:\sys-projects\aaa\Apache24\Apache24\security\key-client.pem
  SSLProxyCACertificateFile D:\sys-projects\aaa\Apache24\Apache24\security\server.pem

Also drop your proxy server's log level to debug and discover what it has to say.

On Thu, May 24, 2018 at 2:42 AM, eranda rajapaksha <erandacr@xxxxxxxxx> wrote:
Hi all,

Im trying to configure Apache http server as a forward proxy with mutual ssl enabled. Following is the setup,

[HTTP client] ----------> [Apache Http Server]----------->[Web Server]

I need to enable Mutual SSL between  Apache Http Server, Web Server. Following is the proxy I have configured. It works fine when connecting other internet web servers.

Listen 3128
 
<VirtualHost *:3128>
  ProxyRequests On
  SSLProxyEngine On
  SSLVerifyClient require
  SSLVerifyDepth  10
  
  SSLProxyMachineCertificateFile D:\sys-projects\aaa\Apache24\Apache24\security\key-client.pem
  SSLProxyCACertificateFile D:\sys-projects\aaa\Apache24\Apache24\security\server.pem
  
</VirtualHost>  


I have tested connecting client directly to the Web server bypassing Apache Forward proxy and it works fine. But when it tries to connect through Apache server I'm getting following error on clients end,

java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Proxy Error"

Even if I just enable one way SSL, the behavior is the same. Am I not importing the Server cert correctly into Apache? Or is there other configuration issue in my setup.

Please help me on this.


Thanks,
--
Eranda Rajapakshe
Computer Science and Engineering Undergraduate,
University of Moratuwa.



Virus-free. www.avg.com



--
Eranda Rajapakshe
Computer Science and Engineering Undergraduate,
University of Moratuwa.