Ssl – Linux forward proxy for client authentication

PROXYsslssl-certificate

I need to use a simple HTTP forward proxy proxy for Linux to do mutual SSL authentication.
The proxy needs to attach a client certificate to HTTP request and then upgrade HTTP to HTTPS.

I have tried to do that with Nginx, Apache only to reach a dead end.

https://superuser.com/questions/604352/nginx-as-forward-proxy-for-https?rq=1

http://apache-http-server.18135.x6.nabble.com/How-to-pass-a-Client-Certificate-through-a-Reverse-Proxy-td4754227.html

I tried squid but it's too complicated in installation and configuration.

What should I go for (I don't mind commercial software or free ones)?

Best Answer

I don't see a reason to connect first using an insecure protocol and redirect to HTTPS afterwards.

The way this is done using the apache web server is quite simple, you can use any of the fields of the client certificate to authenticate your users:

Require              ssl-verify-client
SSLRequireSSL
SSLOptions           +FakeBasicAuth +StrictRequire
SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 256
SSLRequire           %{SSL_CLIENT_S_DN_O} eq "Awesome Company" \
                 and %{SSL_CLIENT_S_DN_OU} eq "Development" \
                 and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}

Read the online documentation for further guidance.

Related Solutions

Linux – Forward proxy for webservices with SSL client certs

Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic, using configurable CA certificates.

http://wiki.squid-cache.org/Features/SslPeekAndSplice

Iis – Configuring IIS ARR for backend client certificate authentication

Chances are Microsoft ARR is using CAPI to store its certificates, but there are no guarantee that ARR will use it even if you make the certificate available to it. Client side authentication requires extra code, and your requirements are not that common. It could have been overlooked and left behind...

To make your client certificate available to a service, you have to edit its "MY" CAPI store. Run mmc.exe from an elevated prompt and add the certificate snap-in. You will have to select which CAPI store to use. Select the computer's store. Import your certificate in the "Personal certificates", making sure you imported the private key with it (it will say so when you go back and view the certificate you imported).

If adding your certificate to the computer store does not work, try the service store. This will be required if ARR runs with its own identity.

I also had an issue with AD-LDS where the service did not have read access to the private key. This article was helpful, but it might be too far off for ARR. Look for ADAM special case in that page, the command you are looking for is

Certutil –V –Verifystore MY 0

Best Answer

Related Solutions

Linux – Forward proxy for webservices with SSL client certs

Iis – Configuring IIS ARR for backend client certificate authentication

Related Topic