Вопросы Теги

Apache2.4: Forward proxy for client certificate authentication to IIS7

We have a Asp.Net 1.1 web services (https://dev-ms01/MsgService/default.asmx) running on IIS7 (win server 2008 standard), we have configured client certificate authentication in IIS and below is the .netcode for ClientCertificate authentication

private void Authenticate(DataTable dtUserMap,HttpContext context)
    {
        /// Convert the serial number from IIS to the DC format
        /// which is: no dashs octets are in proper order.
        string SerialNum = context.Request.ClientCertificate.SerialNumber.Replace("-","");

        Debug.WriteLine("Authenticate User with cert = " + SerialNum);

        /// get the column names from the table
        string[] columnNames = new String[dtUserMap.Columns.Count];

        /// populate the string array with the names
        for(int i=0;i<dtUserMap.Columns.Count;i++)
        {
            columnNames[i] = dtUserMap.Columns[i].ColumnName;
        }

        /// Run a select query with the serial number
        DataRow[] rows = dtUserMap.Select("SerialNumber='" + SerialNum + "'");
        if (rows.Length==1){
            /// the user exits
            Debug.WriteLine("User Authenticated");
            // further logic
        }
        else
        {
            /// either too many users or not any users
            Debug.WriteLine("No single User Found");
            context.Items.Add("IsAuthenticated",false);
        }
    }

We are setting up an apache2.4 server to support TLS 1.2 and also acts as proxy for the IIS , below is the apache configuarion

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"  
ServerName  secure-dev-ms01
SSLEngine on
SSLProtocol -ALL TLSv1.2

SSLVerifyClient optional
SSLVerifyDepth  3


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/elm/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>


SSLProxyEngine On
SSLOptions +ExportCertData
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives    
ProxyPass        /  http://dev-ms01:80/
ProxyPassReverse /  http://dev-ms01:80/ 

RewriteEngine  on

RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
</VirtualHost>

When I browse the https://secure-dev-ms01/MsgService/default.asmx URL it is prompting for the client certificate and when I choose the client cert am not seeing the authorized content that am supposed to see, I suspect SSLOptions +ExportCertData config of apache not forwarding the client certificate to IIS.I couldn't find much info/articles on how to forward client certificate from apache to IIS.

Can someone please help me configuring apache with forward proxy for client certificate authentication to IIS?

Update 1:

Tried forwarding the requests to https://dev-ms01/ instead of http://dev-ms01:80/ and also setting the SSL_* request headers in Apache VirtualHost as below, but still no luck

SSLProxyEngine On
SSLOptions +ExportCertData +StdEnvVars 
#ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives
ProxyPass   / https://dev-ms01/
ProxyPassReverse   / https://dev-ms01/
RewriteEngine  on

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
1
задан 8 March 2018 в 19:48
1 ответ

AFAIK, если Apache завершит запрос TLS, у IIS не будет никакого способа увидеть исходный сертификат клиента. Функция прокси-сервера Apache не может инициировать запрос https, который будет иметь исходный сертификат клиента, поскольку Apache не будет иметь доступа к связанному закрытому ключу.

Конфигурация SSLOptions + ExportCertData для apache, не пересылающего сертификат клиента в IIS

Это не то, что делает параметр ExportCertData . Эти параметры просто устанавливают некоторые переменные среды, которые могут использоваться CGI или другими директивами в Apache. Он не передает этот сертификат волшебным образом. Вы даже используете некоторые из этих переменных в строках RequestHeader ...

Если вам действительно нужно проксировать ваши запросы в Apache, вам нужно будет обновить свое приложение за прокси, чтобы принять и доверять Заголовки HTTP, которые вы устанавливаете в Apache как эквивалент сертификата.

2
ответ дан 3 December 2019 в 20:16

Теги

Похожие вопросы