I don't think client cerificates are a "strong" mean of authentication but.... You should create one virtual host per reverse-proxy (don't forget the Listen xxx directives...) and put these lines in your httpd.conf:
<VirtualHost _default_:xxx> SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt SSLVerifyClient require SSLVerifyDepth 4 SSLOptions +FakeBasicAuth +StdEnvVars ProxyPass / http://your.destinatiom.host/ ProxyPassReverse / http://your.destination.host/ # # Restrict access with Certificates # <Directory proxy:*> SSLRequireSSL AuthName "OpenSCEP" AuthType Basic AuthUserFile /usr/local/apache/auth/proxy1 require valid-user Order allow,deny Allow from all </Directory> </VirtualHost> In the file /usr/local/apache/auth/proxy1 you put one line per client certificate as this: CompleteDistinguishedNameInCertificate:xxj31ZMTZzkVA If you need only to verify that the client has a certificate (from you) you can omit the lines 2, 3, 4 and 5 after <Directory proxy:*> and be sure that you have ONLY your CA certficate in ca-bundle.crt Regards Alberto Guglielmo [EMAIL PROTECTED] Key Fingerprint:7EAF 9E34 2838 7C6B EE47 E8F0 FFC5 3CBC 90AA 5EEE PGP Keys at: http://pgpkeys.mit.edu:11371 -----Messaggio originale----- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Per conto di Mike Murray Inviato: venerd́ 25 gennaio 2002 0.49 A: [EMAIL PROTECTED]; [EMAIL PROTECTED] Oggetto: SSL Proxy with Strong Authentication *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0xE7BB55BE *** Signed: 25/01/2002 0.48.38 *** Verified: 25/01/2002 10.27.05 *** BEGIN PGP VERIFIED MESSAGE *** Hi all, I'm investigating using Apache and SSL for (reverse) proxying HTTPS requests; however, one of the requirements of the task is to have a strong auth mechanism in place. I had two ideas, both of which have lead me to a dead end: 1. Use the ProxyPass and ProxyPassReverse directives to authorize connections, and requiring client certs to authenticate to the server. 2. Using a normal SSL page to authenticate via client certs, and using an .htaccess file in the DocRoot of the proxy server to auth IP addresses. Both seemed likely, and both have failed. The first because the directives don't work as I had hoped, and the second because I can't find anywhere to put an .htaccess file that makes sense to the <Directory proxy> section. So, this is a two-part question: first, does anybody have any idea on how to use .htaccess to control access to the proxy, and/or, does anybody have any ideas on what will accomplish this task? Thanks, Mike -- | Mike Murray <[EMAIL PROTECTED]> | Scientific Technologist http://www.nCircle.com | nCircle Network Security *** END PGP VERIFIED MESSAGE *** ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
