Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi, thanks for your response. I know that F5 loadbalancers can do this - unfortunately i use a shared loadbalancer without the possibility to do fast changes to the certificate revocation list. Regards Marc Am 28.06.2014 19:54, schrieb Marco Pizzoli: Hi Marc, as F5 user maybe you are not yet aware that with F5, leveraging iRules, you can: - implement client cert verification/validation, also specifically checking the CN of the certificate - publish to the apache backend custom HTTP headers carrying informations extracted from the client certificate Both cases are well documented on the F5 site. The first one in particular I can say by having implemented on my own. Is it something useful to your case? Regards Marco On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin m...@256bit.org mailto:m...@256bit.org wrote: Hi, On 06/26/2014 04:08 PM, andre.wen...@bmw.de mailto:andre.wen...@bmw.de wrote: Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. i use a wildcard certificate on my frontend ip to do irule-based (looking for the hostheader) backend pool selection. Therefore it would be good to terminate ssl in the f5. I will now use a new frontend ip on the loadbalancer and i then i will forward the traffic to the backend servers Regards Marc -- GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net http://pool.sks-keyservers.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org mailto:users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org mailto:users-h...@httpd.apache.org
Re: AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi, On 06/26/2014 04:08 PM, andre.wen...@bmw.de wrote: Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. i use a wildcard certificate on my frontend ip to do irule-based (looking for the hostheader) backend pool selection. Therefore it would be good to terminate ssl in the f5. I will now use a new frontend ip on the loadbalancer and i then i will forward the traffic to the backend servers Regards Marc -- GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi Marc, as F5 user maybe you are not yet aware that with F5, leveraging iRules, you can: - implement client cert verification/validation, also specifically checking the CN of the certificate - publish to the apache backend custom HTTP headers carrying informations extracted from the client certificate Both cases are well documented on the F5 site. The first one in particular I can say by having implemented on my own. Is it something useful to your case? Regards Marco On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin m...@256bit.org wrote: Hi, On 06/26/2014 04:08 PM, andre.wen...@bmw.de wrote: Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. i use a wildcard certificate on my frontend ip to do irule-based (looking for the hostheader) backend pool selection. Therefore it would be good to terminate ssl in the f5. I will now use a new frontend ip on the loadbalancer and i then i will forward the traffic to the backend servers Regards Marc -- GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. Cheers, André -Ursprüngliche Nachricht- Von: Eric Covener [mailto:cove...@gmail.com] Gesendet: Donnerstag, 26. Juni 2014 00:05 An: users@httpd.apache.org Betreff: Re: [users@httpd] Client certificate auth behind f5 loadbalancer On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin m...@256bit.org wrote: in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. It's part of the handshake, which can be later scrutinized by the application layer. However, there is no standard way to share the the client certificate authenticated by a proxy with a backend origin server, and no way at all that mod_ssl is willing to receive (that I am aware of) -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Client certificate auth behind f5 loadbalancer
Hello apache-users,
i'm trying to implement client certificate authentication behind a f5
loadbalancer.
My loadbalancer terminates ssl, and dispatches the decrypted
communication via network address translation to the backend apache server.
The client certificate auth should be performed at the webserver.
Unfortunately the SSLVerifyClient directive is ignored and access is
always granted.
It seems that without enabled ssl transport encryption, the logic for
SSLVerifyClient is deactivated.
Any hints?
Setup Overview:
[Browser with client cert]-HTTPS/443-[Loadbalancer with SSL
termination]--HTTP/80--[Apache 2.2.11]
Apache Configuration:
---
VirtualHost *:80
DocumentRoot /data/etc/htdocs
ServerName fooo-bar-test.f.de
CustomLog |/usr/sbin/rotatelogs -l
/data/logs/access-guisel-test.f.de.%Y-%m-%d.log 86400
combined_foobar_withdomain
ErrorLog |/usr/sbin/rotatelogs -l
/data/logs/error-guisel-test.f.de.%Y-%m-%d.log 86400
SSLCACertificateFile /datashare/etc/ca/keys/ca.crt
# SSLCARevocationFile /datashare/etc/ca/keys/ca.crl
Location /
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire%{SSL_CLIENT_S_DN_O} eq Foobar
Satisfy all
/Location
/VirtualHost
---
Regards Marc
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
On Wed, Jun 25, 2014 at 3:08 PM, Marc Schöchlin m...@256bit.org wrote: [Browser with client cert]-HTTPS/443-[Loadbalancer with SSL termination]--HTTP/80--[Apache 2.2.11] What certificate would Apache have access to if the LB communicates to it with HTTP? -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi Marc, Zitat von Marc Schöchlin m...@256bit.org: Hello apache-users, i'm trying to implement client certificate authentication behind a f5 loadbalancer. My loadbalancer terminates ssl, and dispatches the decrypted communication via network address translation to the backend apache server. The client certificate auth should be performed at the webserver. Unfortunately the SSLVerifyClient directive is ignored and access is always granted. It seems that without enabled ssl transport encryption, the logic for SSLVerifyClient is deactivated. Any hints? yes, your web server is only seeing the plain HTTP traffic - all the SSL stuff got stripped at the load balancer. You're so to speak asking to look at the post stamp of a letter, while you only received the content because your mail service already unpacked everything and dumped the envelope... Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi, in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. Meanwhile i tried to find the suitable RFC to get details about this problem - probably http://tools.ietf.org/html/rfc5246#page-55 might be the right one. Does anybody have the suitable background knowhow of the RFC and mod_ssl to help me to find out source of the problem? Regards Marc Am 25.06.2014 21:15, schrieb Jens-U. Mozdzen: Hi Marc, Zitat von Marc Schöchlin m...@256bit.org: Hello apache-users, i'm trying to implement client certificate authentication behind a f5 loadbalancer. My loadbalancer terminates ssl, and dispatches the decrypted communication via network address translation to the backend apache server. The client certificate auth should be performed at the webserver. Unfortunately the SSLVerifyClient directive is ignored and access is always granted. It seems that without enabled ssl transport encryption, the logic for SSLVerifyClient is deactivated. Any hints? yes, your web server is only seeing the plain HTTP traffic - all the SSL stuff got stripped at the load balancer. You're so to speak asking to look at the post stamp of a letter, while you only received the content because your mail service already unpacked everything and dumped the envelope... Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Client certificate auth behind f5 loadbalancer
On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin m...@256bit.org wrote: in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. It's part of the handshake, which can be later scrutinized by the application layer. However, there is no standard way to share the the client certificate authenticated by a proxy with a backend origin server, and no way at all that mod_ssl is willing to receive (that I am aware of) -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
