My JBoss app server has mutual SSL authentication setup (We do some processing based on the client certificate).
I need to have a web server in front of JBoss. Which is the best apache module that can do an SSL passthrough to JBoss?
Ssl – Apache module suitable for SSL passthrough
apache-2.2ssl
Related Topic
- Ssl – How to configure Apache to act as an SSL proxy to an application server
- Linux Web Server – Proper Permissions for Website Files and Folders
- Apache SSL – Is It Bad to Redirect HTTP to HTTPS?
- Ssl – Apache httpd reverse proxy delegate SSL to backend
- Ssl – Two-Way SSL Authentication with Apache 2.2 and OpenSSL 1.0.1e-fips
- Ssl – Redirect SSL requests from proxy Apache server to another Apache server
- SSL Passthrough vs SSL Termination + HTTPS
Best Answer
Unless you're after something incredibly trivial (forwarding all SSL traffic directly to JBoss without any handling by Apache at all, in which case you might as well use a TCP forwarder like rinetd), whatever it is you're trying to do is not possible.
In order for Apache to do anything with the SSL connection, it must negotiate the symmetric key with the client. Once Apache has done this, JBoss will not be able to decrypt the connection if apache "just" forwarded the resulting stream to JBoss. Normally, you'd forward the decrypted connection to the application. You might even be able to get apache to establish a new SSL connection from Apache to JBoss, but without the client's certificate, it would not have the authentication information JBoss is looking for.
Things to consider: could you make JBoss read the connection headers of a non-ssl connection to get this client information? Then you could use mod_rewrite to capture the information from the client certificate. (List of available variables) (actual (if old) example of combining mod_rewrite,mod_headers,and mod_proxy to pull this off)
If the issue is that you want to serve some content through a webserver rather than through JBoss, consider setting up a separate host, like https://static.example.com.