SSL Client certificate injection using reverse and forward proxies

July 5th, 2012 | Categories: Networking, Technology

Here is a little trick to connect to a server that requires a SSL Client certificate when your client does not support it.

To make it work your client must be able to use a proxy. We will use this proxy to rewrite certain servers to a reverse proxy that injects the client certificate.

Lets get to the good stuff!{{1}}

Lets start with the forward proxy, this is what will be configured in your browser, webapp…

Listen 8080

<VirtualHost *:8080>
	LogLevel			error
	ErrorLog			logs/error_log-fp
	TransferLog			logs/transfer_log-fp
	#RewriteLogLevel	9
	#RewriteLog			logs/rewrite_log-fp

	RewriteEngine		On
	RewriteRule		proxy:https://secure.blackdot.be/(.*)	  https://127.0.0.1:9901/$1	[P]
	RewriteRule		proxy:https://repository.blackdot.be/(.*) https://127.0.0.1:9902/$1	[P]

	ProxyRequests		On
	ProxyVia			On

	<Proxy *>
		Order allow,deny
		allow from all
		# you may want to narrow this down to only the client's IP
	</Proxy>
</VirtualHost>

We will filter out request for secure.blackdot.be and repository.blackdot.be, then we send the request to our reverse proxies. Other request will be passed along untouched. The proxy is listening on port 8080.

LoadModule ssl_module modules/mod_ssl.so

Listen 127.0.0.1:9901

<VirtualHost 127.0.0.1:9901>
	LogLevel			error
	ErrorLog			logs/error_log-rp
	TransferLog			logs/transfer_log-rp

	SSLProxyEngine					on
	SSLProxyCACertificateFile		conf/ssl/RP9901CA.crt
	SSLProxyMachineCertificateFile	conf/ssl/RP9901CERT.crt
	SSLProxyVerifyDepth				10
	SSLProxyVerify					none

	# IP app server
	ProxyRequests			Off
	ProxyPass				/	https://secure.blackdot.be/
	ProxyPassReverse		/	https://secure.blackdot.be/
</VirtualHost>

The reverse proxy on port 9901 will proxy the requests to secure.blackdot.be, it will offer the client certificate stored in conf/ssl/RP9901CERT.crt.{{2}}

You would create a similar reverse proxy on port 9902 for repository.blackdot.be.

This should be enough to get this working, if not… your probably shouldn’t be using SSL Client Authentication.

[[1]]I assume you already have a working HTTPD config and you are smart enough to fix basic problems, this is by no means a full how to.[[1]]
[[2]]This file contains both the certificate and the private key with the passphrase removed.[[2]]

Leave a comment
Comments are closed.