ons 2007-09-12 klockan 16:41 -0700 skrev techguy005-ml@yahoo.com:
> I have an application on a web server that requires
> client side certificates that is fronted by the Squid
> proxy. One of the properties of a client-side
> certificate is the serial number.
Then you need to change the application slightly, to use trusted headers
added by Squid instead of SSL... and modify Squid slightly to add this
information to the forwarded request..
> Even if I installed the client-certificate's CA on the
> Squid proxy for it to validate the certificate, there
> is no way for Squid to then pass on the request to the
> back-end web server with the client-side certificate.
Correct.
> In essence, the certificate presented by the client to
> Squid is lost in translation as the back-end web
> server never sees it because Squid makes its own
> connection on behalf of the initial request but
> WITHOUT the client-certificate. Correct?
Not entirely. Information about the certificate can be made available,
but not the certificate exchange as such...
> In a reverse-proxy set-up, the requests sent to the
> back-end web server fronted by the Squid proxy will
> ALWAYS appear with the source IP of the Squid proxy
> server, NOT the client IP. Correct?
Correct.
> Is there no way
> to change this so it appears to come from the client's
> IP rather than Squid.
There is two ways to do this
a) Make the application use the X-Forwarded-For header added by Squid to
read the source IP instead of the TCP connection details.
b) Use the Linux TPROXY patch.
I would recommend 'a'. Escpecially if you are using the header approach
for getting the certificate details.
Regards
Henrik
Received on Thu Sep 13 2007 - 03:38:05 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT