4

My web servers need to integrate with a 3rd party's server that sits behind a firewall. In order to get through the firewall all requests have to come from the same IP address and be authenticated via SSL. So I set up a machine that's supposed to work as a proxy and forward all traffic via SSL to the 3rd party server.

I set up the proxy with the certificates and matching key files and can make a successful request to the 3rd party service via CURL just fine, using the certificate and key file. I sey up a virtual host on Apache to pass these requests through, but keep getting errors saying that the SSL handshake with the remote server failed. I see the following error messages in my apache logs:

Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured [Sun Jul 29 01:40:48 2012] [error] (502)Unknown error 502: proxy: pass request body failed to <3rd party IP>:18443 (<3rd party URL>)
[Sun Jul 29 01:40:48 2012] [error] [client ] proxy: Error during SSL Handshake with remote server returned by /

My apache virtual host configuration looks as follows:

<VirtualHost *:18443>
    ServerName <Proxy IP>
    SSLEngine on
    SSLProxyEngine On
    SSLCertificateFile /etc/apache2/ssl/my_server.pem
    SSLCertificateKeyFile /etc/apache2/ssl/my_server.key
    SSLProxyCACertificatePath /etc/ssl/certs
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    ProxyPass / https://<3rd party server address>:18443
    ProxyPassReverse / https://<3rd party server address>:18443
</VirtualHost>

Thank you! Any help is highly appreciated!

ajmurmann
  • 439
  • 1
  • 7
  • 8
  • 1
    Just a hunch, but can you post the config for whatever is listening on :443? Based on your log snippet something is trying to establish an SSL connection on :443 and then getting redirected to :18443. – d34dh0r53 Jul 29 '12 at 02:13
  • I am not sure what's up with that. I made the request via cURL to :18443. So I am not sure why it comes in on :443. I also checked with netstat and it's apache listening on that port. However, I didn't change anything (knowingly) about responses on :443. The apache.conf doesn't mention anything about it either. – ajmurmann Jul 29 '12 at 02:38

3 Answers3

4

You need to configure Apache to use that certificate file as an authentication mechanism to its proxy backend.

Combine the .pem and .key into one file, and point to it with:

SSLProxyMachineCertificateFile /path/to/combined.pem
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 2
    Thank you very much! That fixed that error. However, now I am getting "502)Unknown error 502: proxy: pass request body failed". As you recommended elsewhere, I turned off SSLProxyCheckPeerCN, but to effect. – ajmurmann Jul 29 '12 at 16:27
  • 1
    @ajmurmann Hmm. Try also changing your `ProxyPass` to add a trailing slash, as well: `ProxyPass / https://<3rd party server address>:18443/` – Shane Madden Jul 29 '12 at 17:54
  • Thanks for that as well. However, I already tried that based on you advise on another thread. – ajmurmann Jul 29 '12 at 19:46
1

Imho what he is really asking for, is an Apache that proxies the SSL requests to an endpoint server, presumably an application server, that does SSL client certificate authentication...

The SSLProxyMachineCertificateFile will not help you in this case as this file contains a certificate by which the apache server authenticates itself with the application server... you don't want that: you want the calling client to use his certificate

Presumably it should be possible for Apache to pass the certificate info it obtains on to the app server, e.g. via AJP, but I haven't been able to get this working so far. I will try and update this answer if I get it to work...

Peter
  • 19
  • 1
  • According to this thread on the Apache mailing list, it's not possible to forward the client cert through a proxy to the end server. http://apache-http-server.18135.n6.nabble.com/How-to-pass-a-Client-Certificate-through-a-Reverse-Proxy-td4754227.html – Steve Goodman Mar 12 '13 at 18:59
  • It is not possible for Apache to do as you presume is possible, as it doesn't have the client's private key. You will never get this to work: and you haven't in 9 years. – user207421 Jun 03 '21 at 05:55
1

I had the same errors. There might be a problem with a configured peer name not matching the current ProxyPass directive. In effect I access the service by localhost. The following config lines worked for me:

SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass "/api/" "https://localhost:18443/api/"

(thanks to the comment from @ajmurmann)

But the message Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured still is in the error log, but the requests are working.

Trendfischer
  • 111
  • 4