So, I am s sending this to list for archive purposes. I ended up
resolving the Safari issue by moving the SSLVerifyClient to the Location
definition vs the virtualhost definition. After doing this, I added a
Location definition for the api/tokens path to not require the client
certificate validation. My end goal of keeping the overall application
protected, I believe is achieved here, hopefully.
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass ajp://192.168.x.x:8009/guacamole/ flushpackets=on
ProxyPassReverse ajp://192.168.x.x:8009/guacamole/
SSLVerifyClient require
</Location>
<Location /guacamole/api/tokens>
Order allow,deny
Allow from all
ProxyPass ajp://192.168.x.x:8009/guacamole/api/tokens flushpackets=on
ProxyPassReverse ajp://192.168.x.x:8009/guacamole/api/tokens
</Location>
<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://192.168.x.x:8009/guacamole/websocket-tunnel
ProxyPassReverse ws://192.168.x.x:8009/guacamole/websocket-tunnel
SSLVerifyClient require
</Location>
Scott
On 2018-02-21 18:53, Scott Palmer wrote:
Good day,
I am using Apache HTTPd w/Mod_Proxy to proxy Apache Guacamole. The
httpd side of things does a client side certificate validation. On
Chrome and FF, everything works just fine, however on Safari, it does
not. If I go direct to the Guacamole via Safari bypassing the
mod_proxy, Safari works.
Using the developer tools in Safari, the /guacamole/api/tokes request
is not getting the certificate "re-passed" by safari and apparently
Chrome and FF handle this properly. Safari is important as the iPad
uses Safari and FF/Chrome do not deal with client side certs loaded in
the iOS keychain.
Below are what I believe are important details. I am hoping it is
something simple I am missing and look forward to your ideas. I also
believe this to be something that needs to be addressed on the
mod_proxy side, and not guacamole.
Error from Safari's web console
-------------------------------
Failed to load resource: The server "https://xx.xx.xx"; [1] requires a
client certificate. (when requesting the above path
/guacamole/api/tokes)
NOTE: This happens after the initial prompt for my certificate. Also
note, I have an instance of ZoneMinder proxied, along with my Synology
NAS, and they function just fine under Safari.
HTTPd modules loaded for proxy:
-----------------------------
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
My HTTPd vhost configuration:
-----------------------------
<VirtualHost *:443>
DocumentRoot "/web/MyRoot"
ServerName xx.xx.xx:443
SSLEngine on
SSLCertificateFile /etc/CA/certs/xx.xx.xx.crt
SSLCertificateKeyFile /etc/CA/private/xx.xx.xx.key
SSLCACertificateFile /etc/CA/certs/xxx.crt
SSLCARevocationFile /etc/CA/crl/xxx.crl
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 10
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# Pre Apache 2.4
<Location />
SetEnv no-gzip
</Location>
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://192.168.x.x:8080/guacamole/ [2] flushpackets=on
ProxyPassReverse http://192.168.x.x:8080/guacamole/ [2]
</Location>
<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://192.168.x.x:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://192.168.x.x:8080/guacamole/websocket-tunnel
</Location>
Thanks!
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Links:
------
[1] https://xx.xx.xx
[2] http://192.168.x.x:8080/guacamole/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
