Jon,
If you want to secure the httpd <-> Tomcat link with mutually
authenticated TLS then I believe it is possible based on reading the
docs but a) haven't tested it and b) you are going to need to be careful
to ensure Tomcat doesn't get confused about whether it is the actual
client or the reverse proxy that is authenticated.
The following are some pointers that should help. This is how I would go
about things if I was doing this.
1. Set up mod_proxy_http and get it working over http.
2. Create and configure a server certificate for Tomcat.
3. Switch to proxy over https.
4. Use SSLProxyCACertifcate[File|Path] to configure httpd to
authenticate Tomcat.
5. Check you got 4 right by changing the Tomcat cert to a self-signed
one and looking for the proxy connection to fail.
6. Create a client cert for httpd.
7. Configure Tomcat to require client cert authentication.
8. Configure httpd using SSLProxyMachineCertificate[File|Path] to
provide the certificate.
9. Check you got 8 right by:
a) using a JSP to view the presented certificate
b) changing httpd to use a self-signed cert and check it fails
The problem you have now is that Tomcat sees httpd as a TLS
authenticated client and you really want Tomcat to see the
authentication status of the real client.
I've looked at the SSLValve and it only sets request attributes if the
relevant headers from httpd are present. You would need to write an
additional Valve that ran earlier in the pipeline and cleared those headers.
HTH,
Mark
On 03/06/2022 00:13, jonmcalexan...@wellsfargo.com.INVALID wrote:
Ok, so in short ots not possible to mutually authenticate the mod-proxy and a
tomcat connector, correct?
I'm needing to convert an ajp configuration to mod-proxy, but a security
architect wants the other as well.
Thanks,
Sent with BlackBerry Work (www.blackberry.com)
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Jun 2, 2022 5:05 PM
To: users@tomcat.apache.org
Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL
[EXTERNAL]
On 6/2/22 14:38, Beard, Shawn wrote:
> I've never done this. But I think it would go something like this:
> To make tomcat take advantages of Client Authentication, require three
> certificates. i.e A Server Certificate for Tomcat, Client Certificate
> for the browser/Apache and Certificate of the CA which will sign both
> the above mentioned certificates.
Stop. John: if you aren't using client TLS certs with your end-users,
then this is a rathole you don't want to go down.
If you *do* need to use client-TLS-auth, then this is correct.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
