0

I am attempting to create the following setup using Apache:

UserBrowser ----Client Certificate---> LoadBalancer (Apache 2.4) then LoadBalancer (Apache 2.4) ----LB Client Certificate ----> Apache 2.2 Web Server

So the user connects to the load balancer and provides a client certificate - This works correctly.

A Reverse Proxy then makes the Load Balancer connect to the web server, the webserver requests a certificate from the Load Balancer and I get the following error:

Proxy client certificate callback: (0.0.0.0:443) entered Proxy client certificate callback: (0.0.0.0:443) downstream server wanted client certificate but none are configured [remote 0.0.0.1:443] SSL Proxy connect failed [ssl:info] SSL Library Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (SSL alert number 40) [ssl:info] [remote 0.0.0.1:443] Connection closed to child 0 with abortive shutdown (server 0.0.0.0:443) [ssl:info] [remote 0.0.0.1:443] SSL handshake failed: sending 502

Load Balancer Config:

SSLProxyEngine on ProxyRequests off ProxyPreserveHost on Proxytimeout 600 SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyMachineCertificateFile "/path/to/keyandcert.pem"

Web Server Config:

SSLVerifyClient require

This scenario works if I remove SSLVerifyClient from the Web Server, traffic is then loadbalanced. I need to have client verification between the User - LB and between the LB - WS.

Keys + Certs have been generated using 1024 bit long modulus

Can anyone offer an insight into what might be going wrong here?

Improve this question

1 Answer 1

Reset to default
1

Your request is unclear. There can be, however, the following cases that I can imagine:

  • you intend to construct a client certificate authentication scheme. In this case the client should be authenticated by the balancer, as there's no way to use a HTTP-aware balancer, an SSL offloading on the balancer, and pass the client certificate to the backend. Once authenticated (or not) - the balancer should report the result to the backend using HTTP headers.
  • you intend to create a simple SSL offloading scheme. In this case you don't need the HTTPS between a balancer and the backend, as usually they communicate to each other using a trusted transport.

Either way, the scheme you are describing doesn't match completey any of the above.

P.S. use nginx as a balancer, apache is long gone.

Improve this answer
4
  • The user is authenticated by the Load Balancer. The Load Balancer must then authenticate itself with its own client certificate to the Back-end Web Server. It provides its certificate using the SSLProxyMachineCertificateFile option. I'm not trying to pass the same certificate from the User to the Back-end, I'm using 2-way authentication with a reverse proxy. Commented Aug 18, 2016 at 13:11
  • This approach is weird. Authenticate the balancer using it's IP address. Commented Aug 18, 2016 at 15:02
  • I agree that this approach is not the norm, but if I only authenticate using the IP address how do I prevent an IP Spoofing attack? Commented Aug 22, 2016 at 12:29
  • IP spoofing attack (with MitM scheme) is only possible when the attacker is in the same l2 domain as your server. Otherwise it will be simplex (in it's most pessimistic case) and harmless. Commented Aug 23, 2016 at 13:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.