SSL Client certificate injection using reverse and forward proxies
Here is a little trick to connect to a server that requires a SSL Client certificate when your client does not support it.
To make it work your client must be able to use a proxy. We will use this proxy to rewrite certain servers to a reverse proxy that injects the client certificate.
Lets get to the good stuff!1
Lets start with the forward proxy, this is what will be configured in your browser, webapp…
Listen 8080
<VirtualHost *:8080>
LogLevel error
ErrorLog logs/error_log-fp
TransferLog logs/transfer_log-fp
RewriteEngine On
RewriteRule proxy:https://secure.blackdot.be/(.*) https://127.0.0.1:9901/$1 [P]
RewriteRule proxy:https://repository.blackdot.be/(.*) https://127.0.0.1:9902/$1 [P]
ProxyRequests On
ProxyVia On
<Proxy *>
Order allow,deny
allow from all
# you may want to narrow this down to only the client's IP
</Proxy>
</VirtualHost>
We will filter out request for secure.blackdot.be and repository.blackdot.be, then we send the request to our reverse proxies. Other request will be passed along untouched. The proxy is listening on port 8080.
LoadModule ssl_module modules/mod_ssl.so
Listen 127.0.0.1:9901
<VirtualHost 127.0.0.1:9901>
LogLevel error
ErrorLog logs/error_log-rp
TransferLog logs/transfer_log-rp
SSLProxyEngine on
SSLProxyCACertificateFile conf/ssl/RP9901CA.crt
SSLProxyMachineCertificateFile conf/ssl/RP9901CERT.crt
SSLProxyVerifyDepth 10
SSLProxyVerify none
# IP app server
ProxyRequests Off
ProxyPass / https://secure.blackdot.be/
ProxyPassReverse / https://secure.blackdot.be/
</VirtualHost>
The reverse proxy on port 9901 will proxy the requests to secure.blackdot.be, it will offer the client certificate stored in conf/ssl/RP9901CERT.crt2.
You would create a similar reverse proxy on port 9902 for repository.blackdot.be.
This should be enough to get this working, if not… your probably shouldn’t be using SSL Client Authentication.