2

I basically have the exact same problem as Add Client certificate when acting as reverse proxy (Apache/NGINX) , but in my case there is no nginx that can help me out.

I want a certain location inside my virtual host to act as a reverse proxy for a third party server, like

<Location /mylocation/>
        ProxyPass          https://thirdparty.example:2345/foo/
        ProxyPassReverse   https://thirdparty.example:2345/foo/
</Location>

https://thirdparty.example:2345/foo/ however requires authentication with a client certificate. I want to hide this fact from my users. They must not be required to provide a client certificate. Instead, I would like Apache to use a certificate that's stored on the server.

How can this be done?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Thomas Hilbert
  • 123
  • 1
  • 4

1 Answers1

2

When Apache is configured as a proxy there are 2 separate HTTP(S) connections:

  • one from the HTTP client to your Apache
  • one from your Apache to some other server

The client of the first connection has no direct way to know your Apache is working as a proxy, nor where it connects exactly. Both connections coexist more or less at the same time. It is completely the opposite of an HTTP redirect, where the client gets the new URL and hence does in fact 2 connections but one after the other.

Hence:

I want to hide this fact from my users.

This is implied by using Apache as a proxy.

They must not be required to provide a client certificate.

They won't except if your Apache is configured to ask for a client certificate for the path covered by your configuration above.

Instead, I would like Apache to use a certificate that's stored on the server.

Everything related to TLS is under control of mod_ssl whose documentation is at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

You will there be mostly interested by SSLProxyMachineCertificateFile and its surroundings as it is described in that way:

 This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. 

Note the contexts where it can appear: global server, virtual host or proxy directive (hence you can not put it directly in your Location block)

So you will need to add something like:

<Proxy "https://thirdparty.example:2345/foo/*">
    SSLProxyMachineCertificateFile /some/path
</Proxy>
StackzOfZtuff
  • 1,754
  • 12
  • 21
Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42