How to setup a reverse proxy to enable HTTP access with basic authentication to an internal HTTPS server that requires a certificate

Question

We have an internal server that requires x509-based authentication, but I've been requested to open it up with a basic user/password authentication.

I've been trying to setup a reverse proxy in apache that uses a trusted certificate to connect to the internal server, but I don't seem to be able to choose and use the certificate. The basic authentication works fine.

Going through all relates questions here and googling for some days, my bet is that i need to use some SSLProxy* directives, but none of what I tried has been successful so far.

BTW, I'm using a self-signed certificate for authenticating in the internal server.

So far my .conf file reads like this

<VirtualHost *:80>
    ServerName external.server

    SSLProxyEngine on
    UnknownSSLDirectives

    ProxyRequests Off
    ProxyPass        / https://internal.server/
    ProxypassReverse https://internal.server/ /

    <Location />
        AuthType Basic
        AuthName "Authenticated proxy"
        AuthUserFile /etc/httpd/passwd/passwords
        Require user USER
    </Location>

    <Proxy>
        Order Deny,Allow
        Allow from all
    </Proxy>

    RequestHeader unset Authorization

    ErrorLog "logs/proxy.error.log"
    CustomLog "logs/proxy.access.log" common
</VirtualHost>

I seem to be so close, but cannot penetrate the intrinsics of the SSL authentication.. I hope someone can enlighten me.

Answer 1

SSLProxyMachineCertificateFile should be what you're looking for; make sure you've got the client certificate in PEM format (must be unencrypted, and both public and private keys in this file - -nodes openssl option) and the device should present that certificate for authentication to the upstream server.

Oh, and semi-unrelated: your ProxyPassReverse's settings look to be backwards; they should usually match ProxyPass. It's unintuitive, but it's there for on-the-fly modification of absolute URL paths that the upstream server sends in headers (it doesn't actually like reversed input).