Ssl – Redirect SSL requests from proxy Apache server to another Apache server

apache-2.2apache-2.4httpsPROXYssl

We have a legacy application with URL https://www2.devDocApp.com/ which is running on Ubuntu8 and apache2.2 with no TLS 1.2 support, we had hardtime upgrading apache2.2 and openSSL on Ubuntu 8 box, so now we are standing proxy apache server (secure-devDocApp windows 2012 VM with Apache/2.4.29 (Win64)) which redirects all the requests to https://www2.devDocApp.com/

Below is the apache configuration I've used to set up proxy server secure-devDocApp

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 
DocumentRoot "C:/apache/htdocs"
ServerName  secure-devDocApp    
SSLEngine on
RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"


SSLProtocol -ALL TLSv1.2
SSLCertificateFile "C:/apache/conf/server.cer"
SSLCertificateKeyFile "C:/apache/conf/server.key"   
SSLCACertificateFile "C:/apache/conf/ca.cer"
SSLVerifyClient optional
SSLVerifyDepth  3

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>    
ProxyPass   / https://www2.devDocApp.com/   
SSLProxyEngine on

RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"

</VirtualHost>

We have a page '/clientAuth' which requires client certificate authentication, so When am hitting the proxy apache URL https://secure-devDocApp/clientAuth in browser it is prompting to choose from an existing client certificates, but when I choose the client certificate am getting a 404 instead of authorized content, however client certificate authentication works fine on the legacy URL https://www2.devDocApp.com/clientAuth` which prompts for client certificate and I can see the authorized page for the chosen client certificate.

I suspect proxy apache server secure-devDocApp is not forwarding the SSL certificate requests to the legacy apache server of www2.devDocApp.com. Can someone please help me forwarding SSL requests from one apache server to another?

Best Answer

In our legacy apache updated RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s" to below, to allow Client Certificate authentication via proxy apache server 

SetEnvIf X_SSL_CLIENT_M_SERIAL "^$" NO_X_SSL_CLIENT_M_SERIAL
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s" env=NO_X_SSL_CLIENT_M_SERIAL

Also added SSLOptions +ExportCertData to proxy apache VirtualHost

Related Topic