We have an internal server that requires x509-based authentication, but I've been requested to open it up with a basic user/password authentication.
I've been trying to setup a reverse proxy in apache that uses a trusted certificate to connect to the internal server, but I don't seem to be able to choose and use the certificate. The basic authentication works fine.
Going through all relates questions here and googling for some days, my bet is that i need to use some SSLProxy* directives, but none of what I tried has been successful so far.
BTW, I'm using a self-signed certificate for authenticating in the internal server.
So far my .conf file reads like this
<VirtualHost *:80>
ServerName external.server
SSLProxyEngine on
UnknownSSLDirectives
ProxyRequests Off
ProxyPass / https://internal.server/
ProxypassReverse https://internal.server/ /
<Location />
AuthType Basic
AuthName "Authenticated proxy"
AuthUserFile /etc/httpd/passwd/passwords
Require user USER
</Location>
<Proxy>
Order Deny,Allow
Allow from all
</Proxy>
RequestHeader unset Authorization
ErrorLog "logs/proxy.error.log"
CustomLog "logs/proxy.access.log" common
</VirtualHost>
I seem to be so close, but cannot penetrate the intrinsics of the SSL authentication.. I hope someone can enlighten me.
SSLProxyMachineCertificateFileshould be what you're looking for; make sure you've got the client certificate in PEM format (must be unencrypted, and both public and private keys in this file --nodesopenssl option) and the device should present that certificate for authentication to the upstream server.Oh, and semi-unrelated: your
ProxyPassReverse's settings look to be backwards; they should usually matchProxyPass. It's unintuitive, but it's there for on-the-fly modification of absolute URL paths that the upstream server sends in headers (it doesn't actually like reversed input).