I stumbled into a situation where a reverse proxy had two different
backends behind the same VHost of the proxy. Both backends demand client
certs as becomes more and more common for services today. Unfortunately
the CA which issues the client certs in both cases is the same CA, but
the demanded client cert is individual to the backend services.
As far as I can see, this is currently not configurable. The
SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath only
work on the VHost level and the client cert detection algo in
ssl_callback_proxy_cert() chooses the first client cert it can find
which was issued b the right CA. No way to distinguish further.
To me it looks like the "right" way of handling SSLProxy* config would
be per <Proxy>. Did anyone else already encounter a similar problem? Any
thoughts or experiments on how to solve this for the future?
Regards,
Rainer
- Allow SSLProxy* config in <Proxy> context? Rainer Jung
-
