Good day,
I am using Apache HTTPd w/Mod_Proxy to proxy Apache Guacamole. The httpd
side of things does a client side certificate validation. On Chrome and
FF, everything works just fine, however on Safari, it does not. If I go
direct to the Guacamole via Safari bypassing the mod_proxy, Safari
works.
Using the developer tools in Safari, the /guacamole/api/tokes request is
not getting the certificate "re-passed" by safari and apparently Chrome
and FF handle this properly. Safari is important as the iPad uses Safari
and FF/Chrome do not deal with client side certs loaded in the iOS
keychain.
Below are what I believe are important details. I am hoping it is
something simple I am missing and look forward to your ideas. I also
believe this to be something that needs to be addressed on the mod_proxy
side, and not guacamole.
Error from Safari's web console
-------------------------------
Failed to load resource: The server “https://xx.xx.xx” requires a client
certificate. (when requesting the above path /guacamole/api/tokes)
NOTE: This happens after the initial prompt for my certificate. Also
note, I have an instance of ZoneMinder proxied, along with my Synology
NAS, and they function just fine under Safari.
HTTPd modules loaded for proxy:
-----------------------------
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
My HTTPd vhost configuration:
-----------------------------
<VirtualHost *:443>
DocumentRoot "/web/MyRoot"
ServerName xx.xx.xx:443
SSLEngine on
SSLCertificateFile /etc/CA/certs/xx.xx.xx.crt
SSLCertificateKeyFile /etc/CA/private/xx.xx.xx.key
SSLCACertificateFile /etc/CA/certs/xxx.crt
SSLCARevocationFile /etc/CA/crl/xxx.crl
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 10
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Pre Apache 2.4
<Location />
SetEnv no-gzip
</Location>
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://192.168.x.x:8080/guacamole/ flushpackets=on
ProxyPassReverse http://192.168.x.x:8080/guacamole/
</Location>
<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://192.168.x.x:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://192.168.x.x:8080/guacamole/websocket-tunnel
</Location>
Thanks!
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
