Thank you as always Mark and all! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His
Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Friday, June 3, 2022 4:19 AM > To: users@tomcat.apache.org > Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over > SSL [EXTERNAL] > > Jon, > > If you want to secure the httpd <-> Tomcat link with mutually authenticated > TLS then I believe it is possible based on reading the docs but a) haven't > tested it and b) you are going to need to be careful to ensure Tomcat doesn't > get confused about whether it is the actual client or the reverse proxy that > is > authenticated. > > The following are some pointers that should help. This is how I would go > about things if I was doing this. > > 1. Set up mod_proxy_http and get it working over http. > > 2. Create and configure a server certificate for Tomcat. > > 3. Switch to proxy over https. > > 4. Use SSLProxyCACertifcate[File|Path] to configure httpd to authenticate > Tomcat. > > 5. Check you got 4 right by changing the Tomcat cert to a self-signed one and > looking for the proxy connection to fail. > > 6. Create a client cert for httpd. > > 7. Configure Tomcat to require client cert authentication. > > 8. Configure httpd using SSLProxyMachineCertificate[File|Path] to provide > the certificate. > > 9. Check you got 8 right by: > a) using a JSP to view the presented certificate > b) changing httpd to use a self-signed cert and check it fails > > > The problem you have now is that Tomcat sees httpd as a TLS authenticated > client and you really want Tomcat to see the authentication status of the real > client. > > I've looked at the SSLValve and it only sets request attributes if the > relevant > headers from httpd are present. You would need to write an additional Valve > that ran earlier in the pipeline and cleared those headers. > > HTH, > > Mark > > > On 03/06/2022 00:13, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Ok, so in short ots not possible to mutually authenticate the > > mod-proxy and a tomcat connector, correct? > > > > I'm needing to convert an ajp configuration to mod-proxy, but a security > architect wants the other as well. > > > > > > Thanks, > > > > > > Sent with BlackBerry Work > > > (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa > VP > > GSwU!oOENK5nJ9Bjo27NDwzO08hd73vpTk3jdwxUjQI6v10Xcd3-p- > MGYhMB5ZZjpooe5o > > iwCi-AthWdFVKAJcCg8cQ$ ) ________________________________ > > From: Christopher Schultz <ch...@christopherschultz.net> > > Sent: Jun 2, 2022 5:05 PM > > To: users@tomcat.apache.org > > Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy > over > > SSL [EXTERNAL] > > > > On 6/2/22 14:38, Beard, Shawn wrote: > > > I've never done this. But I think it would go something like this: > > > To make tomcat take advantages of Client Authentication, require three > > > certificates. i.e A Server Certificate for Tomcat, Client Certificate > > > for the browser/Apache and Certificate of the CA which will sign both > > > the above mentioned certificates. > > > > Stop. John: if you aren't using client TLS certs with your end-users, > > then this is a rathole you don't want to go down. > > > > If you *do* need to use client-TLS-auth, then this is correct. > > > > -chris > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
