4

My web servers need to integrate with a 3rd party's server that sits behind a firewall. In order to get through the firewall all requests have to come from the same IP address and be authenticated via SSL. So I set up a machine that's supposed to work as a proxy and forward all traffic via SSL to the 3rd party server.

I set up the proxy with the certificates and matching key files and can make a successful request to the 3rd party service via CURL just fine, using the certificate and key file. I sey up a virtual host on Apache to pass these requests through, but keep getting errors saying that the SSL handshake with the remote server failed. I see the following error messages in my apache logs:

Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured [Sun Jul 29 01:40:48 2012] [error] (502)Unknown error 502: proxy: pass request body failed to <3rd party IP>:18443 (<3rd party URL>)
[Sun Jul 29 01:40:48 2012] [error] [client ] proxy: Error during SSL Handshake with remote server returned by /

My apache virtual host configuration looks as follows:

<VirtualHost *:18443> ServerName <Proxy IP> SSLEngine on SSLProxyEngine On SSLCertificateFile /etc/apache2/ssl/my_server.pem SSLCertificateKeyFile /etc/apache2/ssl/my_server.key SSLProxyCACertificatePath /etc/ssl/certs ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / https://<3rd party server address>:18443 ProxyPassReverse / https://<3rd party server address>:18443 </VirtualHost>

Thank you! Any help is highly appreciated!

Improve this question
2
  • 1
    Just a hunch, but can you post the config for whatever is listening on :443? Based on your log snippet something is trying to establish an SSL connection on :443 and then getting redirected to :18443. Commented Jul 29, 2012 at 2:13
  • I am not sure what's up with that. I made the request via cURL to :18443. So I am not sure why it comes in on :443. I also checked with netstat and it's apache listening on that port. However, I didn't change anything (knowingly) about responses on :443. The apache.conf doesn't mention anything about it either. Commented Jul 29, 2012 at 2:38

3 Answers 3

Reset to default
4

You need to configure Apache to use that certificate file as an authentication mechanism to its proxy backend.

Combine the .pem and .key into one file, and point to it with:

SSLProxyMachineCertificateFile /path/to/combined.pem
Improve this answer
3
  • 2
    Thank you very much! That fixed that error. However, now I am getting "502)Unknown error 502: proxy: pass request body failed". As you recommended elsewhere, I turned off SSLProxyCheckPeerCN, but to effect. Commented Jul 29, 2012 at 16:27
  • 1
    @ajmurmann Hmm. Try also changing your ProxyPass to add a trailing slash, as well: ProxyPass / https://<3rd party server address>:18443/ Commented Jul 29, 2012 at 17:54
  • Thanks for that as well. However, I already tried that based on you advise on another thread. Commented Jul 29, 2012 at 19:46
1

Imho what he is really asking for, is an Apache that proxies the SSL requests to an endpoint server, presumably an application server, that does SSL client certificate authentication...

The SSLProxyMachineCertificateFile will not help you in this case as this file contains a certificate by which the apache server authenticates itself with the application server... you don't want that: you want the calling client to use his certificate

Presumably it should be possible for Apache to pass the certificate info it obtains on to the app server, e.g. via AJP, but I haven't been able to get this working so far. I will try and update this answer if I get it to work...

Improve this answer
2
  • According to this thread on the Apache mailing list, it's not possible to forward the client cert through a proxy to the end server. apache-http-server.18135.n6.nabble.com/… Commented Mar 12, 2013 at 18:59
  • It is not possible for Apache to do as you presume is possible, as it doesn't have the client's private key. You will never get this to work: and you haven't in 9 years. Commented Jun 3, 2021 at 5:55
1

I had the same errors. There might be a problem with a configured peer name not matching the current ProxyPass directive. In effect I access the service by localhost. The following config lines worked for me:

SSLProxyEngine on SSLProxyCheckPeerCN off SSLProxyCheckPeerName off ProxyPass "/api/" "https://localhost:18443/api/"

(thanks to the comment from @ajmurmann)

But the message Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured still is in the error log, but the requests are working.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.