0

I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below

<VirtualHost *:zzzz> SSLEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLCACertificateFile /path/to/ca.crt SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off <Proxy balancer://api_server> BalancerMember https://xx.xx.xx.xx:yyyy BalancerMember https://xx.xx.xx.xx:yyyy </Proxy> ProxyPass / balancer://api_server/ </VirtualHost>

The problem is that when a client request apache, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.

Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.

Improve this question
5
  • Instead of load balancer your can try proxyPass. Commented Dec 22, 2017 at 5:30
  • @NitinDhomse The ultimate goal is not to overload a single server, I tried proxyPass though, but not helping Commented Dec 22, 2017 at 5:44
  • The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client. Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache. Commented Dec 22, 2017 at 6:00
  • @Nic3500 Thanks I configured Nginx Layer 4 load balancer and now its working fine :) happy holiday.. Commented Dec 22, 2017 at 11:46
  • np, I converted my comment into an answer, when you have 2 sec, please accept. Happy holidays! Commented Dec 22, 2017 at 15:47

2 Answers 2

Reset to default
1

Transforming the comment into an answer since it solved the OP's question.

The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.

Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try switching to AJP instead of HTTP proxy, as explained in the Apache doc : https://httpd.apache.org/docs/2.4/en/mod/mod_proxy_ajp.html

If I understand well what you're saying, you need the client certificate to be forwarded, which is a feature of AJP :

Request Packet Structure

?ssl_cert 0x07 String

Improve this answer

1 Comment

my back end servers only accepts HTTPS requests, I configured nginx layer 4 load balancer and now its working fine..

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.