Re: AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi, On 06/26/2014 04:08 PM, andre.wen...@bmw.de wrote: Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. i use a wildcard certificate on my frontend ip to do irule-based (looking for the hostheader) backend pool selection. Therefore it would be good to terminate ssl in the f5. I will now use a new frontend ip on the loadbalancer and i then i will forward the traffic to the backend servers Regards Marc -- GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Hi Marc, as F5 user maybe you are not yet aware that with F5, leveraging iRules, you can: - implement client cert verification/validation, also specifically checking the CN of the certificate - publish to the apache backend custom HTTP headers carrying informations extracted from the client certificate Both cases are well documented on the F5 site. The first one in particular I can say by having implemented on my own. Is it something useful to your case? Regards Marco On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin m...@256bit.org wrote: Hi, On 06/26/2014 04:08 PM, andre.wen...@bmw.de wrote: Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. i use a wildcard certificate on my frontend ip to do irule-based (looking for the hostheader) backend pool selection. Therefore it would be good to terminate ssl in the f5. I will now use a new frontend ip on the loadbalancer and i then i will forward the traffic to the backend servers Regards Marc -- GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and you can do everything you want because you have all SSL information. Cheers, André -Ursprüngliche Nachricht- Von: Eric Covener [mailto:cove...@gmail.com] Gesendet: Donnerstag, 26. Juni 2014 00:05 An: users@httpd.apache.org Betreff: Re: [users@httpd] Client certificate auth behind f5 loadbalancer On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin m...@256bit.org wrote: in my understanding authentication using client certificates is just a cryptographic validation of a public/private keypair over a already established ssl-secured channel. For example, it is possible to use a official certificate for the ssl channel and my own ca for client certificate validation. It's part of the handshake, which can be later scrutinized by the application layer. However, there is no standard way to share the the client certificate authenticated by a proxy with a backend origin server, and no way at all that mod_ssl is willing to receive (that I am aware of) -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org