1

First of all, title of my question is too long. But this is what I want to know.

I have a server which is configured to handle mutual TLS with a client (this is done by Apache Axis2 code). But, during the deployment I had to put a reverse proxy (a load balancer) in front of my server. Now, the reverse proxy is doing the SSL offloading and it handles the mutual TLS too.

When I surfed internet I learned that in such cases the reverse proxy is sending the client cert in a HTTP header to the backend. Now I am thinking of checking for this header and doing the validation within the axis2 code.

What I want to know is, there a standard / defined header to be used to send the cert to the backend. Is it X-Client-Cert header?

Amila Maharachchi
  • 2,121
  • 2
  • 15
  • 21
  • You found this where? TLS requires that the client certificate is sent in a TLS handshake message. – user207421 Feb 15 '19 at 10:24
  • @Amila is the traffic between the reverse proxy and the server unencrypted? – Oleg Feb 15 '19 at 14:07
  • @user207421 I am aware of it. Consider the scenario where my application server is fronted by a load balancer and yet my application also needs the client cert to validate certain things. In that case the practice I have seen is the LB to pass the client cert in a header to the backend. – Amila Maharachchi Feb 18 '19 at 03:59
  • @Oleg traffic between the reverse proxy and the server is encrypted. – Amila Maharachchi Feb 18 '19 at 03:59

0 Answers0