top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Apache: reverse proxy, balancing and ssl client certificate authentication

+1 vote
823 views

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

posted Oct 17, 2013 by Jagan Mishra

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

I would use haproxy for this. I don't think (happy to be wrong) that you can pass through unterminated SSL to a backend with mod_proxy_http.

answer Oct 17, 2013 by Anderson
Similar Questions
+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

+6 votes

I have a reverse proxy (apache 2.2) with mod_proxy_balancer with https visible to the outside world.

The question is: from the proxy performance/scalability point of view is it better to configure backends (origin servers) with http or with https?

Is it true that if proxy is setup https->http then it only has to decrypt/encrypt the headers and the body is encrypted/decrypted on the backend? I do not use mod_proxy_html (but maybe there are other modules which affect this behaviour on the proxy?.

How either setup affects latency of handling requests? With https->https do I have to do two handshakes (on the proxy and on the backend) for every connection? I have KeepAlive both on the proxy and the backends.

+3 votes

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

+3 votes

I want to expose backend https servers over internet through reverse proxy. Backend servers are already have SSL certificates. Do I need to install SSL on reverse proxy too.

If I redirect external users requests to https server via reverse proxy then will end user see the SSL certificate in browser.

Can anyone help me in this situation. I already have 3 SSL on internal servers, so do I need more certificates. How the configuration will go in this case.

+2 votes

I am asking best practice/info/docs of how to have 2 apache web servers in load balancing.
- Which httpd module do I have to load in the http conf?
- I was reading that I have to have a web load balancer on top of them? Is it necessary? Can they accept requests from a cisco /F5 load balancer?
- What about persistent connection?
- Also we''ll have a mySQL server? Any more info about this?

...