We have a legacy application with URL https://www2.devDocApp.com/
which is running on Ubuntu8
and apache2.2
with no TLS 1.2 support, we had hardtime upgrading apache2.2
and openSSL on Ubuntu 8 box, so now we are standing proxy apache
server (secure-devDocApp
windows 2012 VM with Apache/2.4.29 (Win64)) which redirects all the requests to https://www2.devDocApp.com/
Below is the apache configuration I've used to set up proxy server secure-devDocApp
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
DocumentRoot "C:/apache/htdocs"
ServerName secure-devDocApp
SSLEngine on
RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLProtocol -ALL TLSv1.2
SSLCertificateFile "C:/apache/conf/server.cer"
SSLCertificateKeyFile "C:/apache/conf/server.key"
SSLCACertificateFile "C:/apache/conf/ca.cer"
SSLVerifyClient optional
SSLVerifyDepth 3
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://www2.devDocApp.com/
SSLProxyEngine on
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
</VirtualHost>
We have a page '/clientAuth' which requires client certificate authentication, so When am hitting the proxy apache URL https://secure-devDocApp/clientAuth
in browser it is prompting to choose from an existing client certificates, but when I choose the client certificate am getting a 404 instead of authorized content, however client certificate authentication works fine on the legacy URL https://www2.devDocApp.com/clientAuth` which prompts for client certificate and I can see the authorized page for the chosen client certificate.
I suspect proxy apache server secure-devDocApp
is not forwarding the SSL certificate requests to the legacy apache server of www2.devDocApp.com
. Can someone please help me forwarding SSL requests from one apache server to another?
Best Answer
In our legacy
apache
updatedRequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
to below, to allow Client Certificate authentication via proxy apache serverAlso added
SSLOptions +ExportCertData
to proxy apacheVirtualHost