Hi, thanks for your response.
I know that F5 loadbalancers can do this - unfortunately i use a shared loadbalancer without the possibility to do fast changes to the certificate revocation list. Regards Marc Am 28.06.2014 19:54, schrieb Marco Pizzoli: > Hi Marc, > as F5 user maybe you are not yet aware that with F5, leveraging > iRules, you can: > - implement client cert verification/validation, also specifically > checking the CN of the certificate > - publish to the apache backend custom HTTP headers carrying > informations extracted from the client certificate > > Both cases are well documented on the F5 site. The first one in > particular I can say by having implemented on my own. > > Is it something useful to your case? > > Regards > Marco > > > > > On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin <m...@256bit.org > <mailto:m...@256bit.org>> wrote: > > Hi, > > On 06/26/2014 04:08 PM, andre.wen...@bmw.de > <mailto:andre.wen...@bmw.de> wrote: > > Why do you terminate the ssl on the F5 and not on the > Apache-backend? We load balance IP/Port-based on the F5 and > terminate the SSL on the Apache backend, so you would be able to > turn on your SSLEngine and Proxy the SSL from the F5 on the SSL > Standard SSL Port 443 of the Apache and you can do everything you > want because you have all SSL information. > > i use a wildcard certificate on my frontend ip to do irule-based > (looking for the hostheader) backend pool selection. > Therefore it would be good to terminate ssl in the f5. > > I will now use a new frontend ip on the loadbalancer and i then i > will forward the traffic to the backend servers.... > > Regards > Marc > > -- > GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net > <http://pool.sks-keyservers.net> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > <mailto:users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > <mailto:users-h...@httpd.apache.org> > >