Configuração
ServerA Apache executando um site HTTPS, que requer um certificado de cliente para se conectar. veja as informações abaixo sobre /etc/apache2/sites-available/secure.site.conf e /etc/apache2/mods-available/ssl.conf
ClientA : Navegador se conectando ao ServerA usando um certificado de cliente
Proxy no ServerB : Apache atuando como um proxy de encaminhamento, que deve ser capaz de se conectar ao ServerB usando um certificado de cliente e servidor, veja as informações abaixo sobre / etc / apache2 / sites-available /forward.proxy.conf
ClientB : Navegador usando proxy no ServerB para acessar o conteúdo no ServerA sem a necessidade de um certificado de cliente.
Status
Soluções alternativas Eu encontrei o SEnginx que deveria ser capaz de fazer o trabalho
Este é um substituto no caso do Apache não ser capaz de fazer isso ...
Arquivos de log
/var/log/apache2/proxy_8004_access.log
all start with [Wed Nov 18 23:42:00.888597 2015] [proxy:debug] [pid 4374:tid 140546074822528]
[...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
[...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
[...] proxy_util.c(1848): AH00930: initialized pool in child 4374 for (*) min=0 max=25 smax=25
[...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
[...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
[...] proxy_util.c(1848): AH00930: initialized pool in child 4373 for (*) min=0 max=25 smax=25
/var/log/apache2/secure.site_error.log
all start with [Wed Nov 18 23:42:13.462770 2015] [core:trace6] [pid 4374:tid 140545817044736]
[...] core_filters.c(527): [client 192.168.0.30:59423] core_output_filter: flushing because of FLUSH bucket
[...] ssl_engine_kernel.c(1807): [client 192.168.0.30:59423] OpenSSL: Write: unknown state
[...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
[...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
[...] [client 192.168.0.30:59423] AH02008: SSL library error 1 in handshake (server secure.site:443)
[...] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?
[...] client 192.168.0.30:59423] AH01998: Connection closed to child 70 with abortive shutdown (server secure.site:443)
Detalhes sobre a configuração
Server A - Client Certificates creation
mkdir -p /root/myCA/CA /root/myCA/server /root/myCA/user; cd /root/myCA; echo 01 > serial; touch index.txt
#CA creation
openssl genrsa -out /root/myCA/CA/myCA.key 1024
openssl req –new –key /root/myCA/CA/myCA.key –out /root/myCA/CA/myCA.csr
input>Common Name (e.g. server FQDN or YOUR name) []:myCA
openssl x509 -req -days 3650 -in /root/myCA/CA/myCA.csr -out /root/myCA/CA/myCA.crt -signkey /root/myCA/CA/myCA.key
#SERVER cert creation
openssl genrsa -des3 -out /root/myCA/server/secure.site.key 1024
input>password
openssl req -new -key /root/myCA/server/secure.site.key -out /root/myCA/server/secure.site.csr
input> Common Name (e.g. server FQDN or YOUR name) []:secure.site
openssl ca -days 3650 -in /root/myCA/server/secure.site.csr -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/server/secure.site.crt -config /etc/ssl/openssl.cnf
#clients cert creatin
openssl genrsa -des3 -out /root/myCA/user/[email protected] 1024
input>password
openssl req -new -key /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
input >Common Name (e.g. server FQDN or YOUR name) []:Developers
openssl ca -in /root/myCA/user/[email protected] -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/user/[email protected]
openssl x509 -in /root/myCA/user/[email protected] -text
#export for usage in browser
openssl pkcs12 -export -clcerts -in /root/myCA/user/[email protected] -inkey /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
#concat file for proxy
cat [email protected] [email protected] > [email protected]
Server A /etc/apache2/sites-available/secure.site.conf (full file)
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
Servername secure.site
DocumentRoot /var/www/secure.site/www
LogLevel trace8 ssl:trace8
ErrorLog ${APACHE_LOG_DIR}/secure.site_error.log
CustomLog ${APACHE_LOG_DIR}/secure.site_access.log combined
SSLEngine on
SSLCertificateFile /root/myCA/server/secure.site.crt
SSLCertificateKeyFile /root/myCA/server/secure.site.key
SSLCACertificateFile /root/myCA/CA/myCA.crt
</VirtualHost>
</IfModule>
/etc/apache2/mods-available/ssl.conf (just infos what was added)
added at the end
SSLVerifyClient require
SSLVerifyDepth 2
Server B /etc/apache2/sites-available/forward.proxy.conf
listen 8004
<VirtualHost *:8004>
ProxyRequests On
ProxyVia On
LogLevel trace8 ssl:trace8
ErrorLog ${APACHE_LOG_DIR}/proxy_8004_access.log
CustomLog ${APACHE_LOG_DIR}/proxy_8004_error.log combined
SSLCACertificateFile "/root/myCA/CA/myCA.crt"
SSLProxyMachineCertificateFile "/root/myCA/user/[email protected]"
</VirtualHost>