The most classical reverse proxies utilizations are:
The problem we are tackling in this article is about X509 client certificate authentications. By definition and for security, a HTTPS request clear content cannot be spied. This is why when putting a reverse proxy behind the client and the internal web application, the HTTPS stream will be broken and we will loose all the client certificate data.
Here is some tips to forward without many efforts the client certificate data to the web application:
In this situation, the reverse proxy is an apache and the internal web application is also an apache. The tip is to use the headers modules to manually forward the wanted client cert data. Of course for security reasons, you have to configure your reverse proxy to only allow wanted client certificate (based on the AC for example).
On debian, to activate the headers module, just type this command:
sudo a2enmod headers
Then you have to edit the appropriate reverse proxy virtual host directive this way:
Listen 1981 NameVirtualHost *:1981 <VirtualHost *:1981> ServerName localhost ErrorLog /var/log/apache2/1981.error.log CustomLog /var/log/apache2/1981.access.log combined # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile /etc/apache2/ssl/mycert.crt SSLCertificateKeyFile /etc/apache2/ssl/mycert.key # activate the client certificate authentication SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt SSLVerifyClient require SSLVerifyDepth 2 <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> # initialize the special headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" RequestHeader set SSL_SERVER_S_DN_OU "" RequestHeader set SSL_CLIENT_VERIFY "" <Location /> # add all the SSL_* you need in the internal web application RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" ProxyPass http://localhost:50161/ ProxyPassReverse http://localhost:50161/ </Location> </VirtualHost>
The important directives are the RequestHeader lines. You can found a complete list of the SSL environement variables at the online apache documentation.
In this situation, the reverse proxy is an apache again and the internal web application is a tomcat server. The tip is to use the AJP protocol. Once your tomcat is configured with an AJP connector, you just have to configure HTTPS with a special option (+ExportCertData) on your apache reverse proxy.
Listen 1979 NameVirtualHost *:1979 <VirtualHost *:1979> ServerName localhost ErrorLog /var/log/apache2/1979.error.log CustomLog /var/log/apache2/1979.access.log combined SSLEngine On SSLCertificateFile /etc/apache2/ssl/mycert.crt SSLCertificateKeyFile /etc/apache2/ssl/mycert.key SSLCACertificateFile /etc/apache2/ssl/client-accepted-ca-chain.crt SSLVerifyClient optional SSLVerifyDepth 2 # this option is mandatory to force apache to forward the client cert data to tomcat SSLOptions +ExportCertData <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ </VirtualHost>