Join Log in
Score:0
olivierg avatar Server

Apache reverse proxy mTLS only between client and proxy, regular TLS between proxy and backends

us flag
olivierg

am trying to create an apache reverse proxy (for webservices) where i need Imutual authentication (mTLS) between clients and the proxy itself, but i don't need mTLS between the proxy & the backends (multiple backends runnings multiple webservices on different ports), regular SSL is sufficient.

a schema of what i am trying to achieve :

schema1

I was thinking of an apache configuration that would look like the one below but my apache knowledge is very limited and i'd like advices.

Note : The configuration below is only showing 1 vHost (not the whole apache config), as i plan to have as much vHosts as Webservices i have in the backend (as this is going to serve multiple applications) :

# ---------------------------------------------
# mTLS vHost for Service <Appl_a>
# ---------------------------------------------
<VirtualHost <dns_alias>:<PortID>

 ServerName <dns_alias>
  
    # Custom logs for this vHost
    ErrorLog "<Logdir>/error_log"
    TransferLog "<Logdir>/access_log"
    
    # SSL activation on the proxy itself
    SSLEngine on
    SSLCertificateFile "<Path_to_keys>/proxy.cer"        # Proxy cert file + CA trust cert
    SSLCertificateKeyFile "<Path_to_keys>/proxy.key"     # Proxy private key 
    
    # security options
    ProxyRequests off                    # only a reverse proxy
    SSLProtocol -all +TLSv1.2 +TLSv1.3   # we only allow TLS 1.2 et 1.3
    SSLHonorCipherOrder On               # server forces ciphers (not the client)
    
    # client certificate authentication (for mTLS between proxy & client)
    SSLProxyEngine On
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLCACertificateFile "<Path_to_keys>/client.cer"    # Client's certificate file or CA only ? (as they are both signed by the same CA) ?
    
    # I BELIEVE I DONT NEED THIS
    # as it would only be if i wanted mTLS between proxy and backend 
    # (or to forward client certs to the backend, can you please confirm ?)
    SSLProxyCACertificateFile "<Path_to_keys>/server.cer" 
    SSLProxyMachineCertificateFile "<Path to keys>/proxy.pem"
    SSLProxyVerify require
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off
 
    # Proxy
    RequestHeader set SSL_CLIENT_CERT ""   # I BELIEVE this is also useless
    <Location />
       RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" # USELESS ? as this is to forward the client cert to the backend, but i don't need mTLS to reach backends ?
       ProxyPass https://<appl_URL>:<appl_PORT>/<WS_URL>         
       ProxyPassReverse ttps://<appl_URL>:<appl_PORT>/<WS_URL>
    </Location>
    
 </VirtualHost>

# ---------------------------------------------
# mTLS vHost for Service <n>
# ---------------------------------------------
... same for another port/ws

  1. Could you please help me confirm if this configuration makes sense or how would you do such a thing. Multiple parts in this config are, i believe, useless as they are meant to forward client certificates to the backend for a full mutual authentication proxy (which is not what i want) - see comments in the config.

  2. Second thing : what if i wanted to terminate the traffic at the proxy level and forward the requests to the backends as HTTP. Should i simply replace https by http in the Proxy & ProxyPassReverse directives ?

Thank you in advance,

534
1 + 0
Score:0
ezra-s avatar Server
ru flag
ezra-s

For point 1:

In the appropiate virtualhost you just need two extra directives and a optional one.

A directive to tell Apache which CA's to authorize for client certificates (this is a list of root CA for client certificates you admit):

SSLCACertificateFile "/path/to/ca-auth-list.pem"

Then in each path you want mTLS to happen or the whole virtualhost if you want:

SSLVerifyClient require

An extra to define which depth or amount of CA in the chain you support:

SSLVerifyDepth 2

For point 2:

Reverse proxy connections are something else entirely of what the client sends to the server, so backend for the proxy can be https/http/ajp/ws or whatever you may need.

PS: Do not use Location for proxypass directives, ProxyPass already provides a location in its first parameters but location and proxypass directives an interpreted in opposide ways, so mix them is a recipe for trouble.

+ 1
olivierg avatar
us flag
olivierg
thank you for your answer. we will make some tests soon and i will let you know if it worked (and mark the question as answered). so you confirm that none of the SSLProxy* options are required in my setup ? (i can get rid of them), as well as the RequestHeader ones
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.