Friday, June 24, 2022

[FIXED] How to configure Apache 2.4 to authenticate towards 2 or more remote servers using SSLProxyMachineCertificatePath directive?

      , , , ,      No comments   

Issue

I configured with success my Apache 2.4 to act as proxy server that can authenticate towards a remote server:

httpd-ssl.conf

SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>

Now I need to introduce the authentication towards a second remote server so I changed the above configuration into this way:

httpd-ssl.conf

SSLProxyEngine on
SSLProxyMachineCertificatePath "C:/Apache24/conf/myClientCertsForWs/"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
ProxyPass /ws2/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 1>

In "C:/Apache24/conf/myClientCertsForWs/" I placed the 2 client certs renamed with their hash name (54678734.0 and 77b3aaf4.0) generated using these commands:

openssl x509 -hash -noout -in myClientCertForWs1.pem

openssl x509 -hash -noout -in myClientCertForWs2.pem

Unfortunately this configuration doesn't work: the only certificate used by Apache is the first one so authentication towards the second remote server always fails; it doesn't fail if I remove from the "C:/Apache24/conf/myClientCertsForWs/" the first certificate.

The only working solution I found is configuring 2 VirtualHosts, one for each remote server:

httpd-ssl.conf

<VirtualHost _default_:9347>
[...]
  SSLProxyEngine on
  SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
  ProxyPass /ws1/ <HTTPS URL of remote service 1>
  ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
[...]
</VirtualHost>

<VirtualHost _default_:9348>
[...]
  SSLProxyEngine on
  SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
  ProxyPass /ws2/ <HTTPS URL of remote service 2>
  ProxyPassReverse /ws2/ <HTTPS URL of remote service 2>
[...]
</VirtualHost>

This solution requires to use 2 ports instead of one and I'd like to avoid it.

Could you kindly help me?


Solution

From 2.4.30 and later you can configure SSLProxyMachineCertificateFile in proxy setting i.e 

 <Proxy HTTPS URL of remote service 1>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
</Proxy>
<Proxy HTTPS URL of remote service 2>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
</Proxy>


Answered By - Pandurang
Answer Checked By - Willingham (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...