0

If we have the following scenario:

  • a Ubuntu 18.04.5 LTS machine
  • a third party server running on port 10000 of this machine and already configuring a self-signed certificate (https://localhost:10000)
  • a ngrok tcp tunnel exposing port 10000 to the world (https://0.tcp.ngrok.io:1234/)

How can we configure an Apache httpd server in a way that only the clients with the same certificate will be able to access and see the contents of the ngrok public url (https://0.tcp.ngrok.io:1234/)?

Some of the things I tried were:

  • Copying the certificate to /etc/apache2/ssl
  • Enabling the ssl module with a2enmod ssl
  • Configuring the /etc/apache2/sites-available/000-default.conf to have a section like:
<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/cert.pem
  SSLCertificateKeyFile /etc/apache2/ssl/key.pem

  SSLVerifyClient require
  SSLCACertificatePath /etc/ssl/certs
  SSLCACertificateFile /etc/apache2/ssl/cert.pem
  SSLCADNRequestFile /etc/apache2/ssl/cert.pem
  SSLVerifyDepth 1

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
  • Restarting the apache server service apache2 restart

But unfortunately this is not working yet. Should I change the strategy to something different?

GarouDan
  • 152
  • 11
  • The scenario you first describe makes no mention of Apache, so AFAWK, you can change its settings all you want it won't change a thing. As a side note, do you really use ngrok in production?! – Ginnungagap Feb 15 '21 at 23:40
  • @Ginnungagap, yes, it could be another thing, I was thinking about nginx. I was considering httpd because the third party server recommend this tutorial here: https://www.akadia.com/services/ssh_test_certificate.html It's not really a production thing, but a side project of mine, but because of some restrictions, I can only see the UI if externalize the server – GarouDan Feb 16 '21 at 00:52
  • It sounds like you're trying to do client certificate authentication. The tutorial you linked only shows the steps for the client to be able to verify the server's identity - not for the server to verify the client. If that's the case, you need to (among other things) generate a CSR on the client machine, sign it using the server's self-signed CA, and install the result on the client. For a side-project, there may be simpler and equally effective solutions (whitelisting your IP for port 1234 at the firewall comes to mind). – Brandon Xavier Feb 16 '21 at 09:28
  • @BrandonXavier, as you said, I think this is a matter for client certification. It looks like we need to define the server and client certificates and require the ssl verification. I didn't try yet, but it looks like this is the way. And I think nginx is better suitable for this task – GarouDan Feb 18 '21 at 15:48

0 Answers0