[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] Client certificate auth behind f5 loadbalancer
From: Marc Schöchlin <ms () 256bit ! org>
Date: 2014-06-29 20:33:35
Message-ID: 53B0781F.4070207 () 256bit ! org
[Download RAW message or body]
Hi,
thanks for your response.
I know that F5 loadbalancers can do this - unfortunately i use a shared
loadbalancer without the possibility to do fast changes to the
certificate revocation list.
Regards
Marc
Am 28.06.2014 19:54, schrieb Marco Pizzoli:
> Hi Marc,
> as F5 user maybe you are not yet aware that with F5, leveraging
> iRules, you can:
> - implement client cert verification/validation, also specifically
> checking the CN of the certificate
> - publish to the apache backend custom HTTP headers carrying
> informations extracted from the client certificate
>
> Both cases are well documented on the F5 site. The first one in
> particular I can say by having implemented on my own.
>
> Is it something useful to your case?
>
> Regards
> Marco
>
>
>
>
> On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin <ms@256bit.org
> <mailto:ms@256bit.org>> wrote:
>
> Hi,
>
> On 06/26/2014 04:08 PM, Andre.Wendel@bmw.de
> <mailto:Andre.Wendel@bmw.de> wrote:
> > Why do you terminate the ssl on the F5 and not on the
> Apache-backend? We load balance IP/Port-based on the F5 and
> terminate the SSL on the Apache backend, so you would be able to
> turn on your SSLEngine and Proxy the SSL from the F5 on the SSL
> Standard SSL Port 443 of the Apache and you can do everything you
> want because you have all SSL information.
>
> i use a wildcard certificate on my frontend ip to do irule-based
> (looking for the hostheader) backend pool selection.
> Therefore it would be good to terminate ssl in the f5.
>
> I will now use a new frontend ip on the loadbalancer and i then i
> will forward the traffic to the backend servers....
>
> Regards
> Marc
>
> --
> GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net
> <http://pool.sks-keyservers.net>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <mailto:users-unsubscribe@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <mailto:users-help@httpd.apache.org>
>
>
[Attachment #3 (text/html)]
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
thanks for your response. <br>
<br>
I know that F5 loadbalancers can do this - unfortunately i use a
shared loadbalancer without the possibility to do fast changes to
the certificate revocation list.<br>
<br>
Regards<br>
Marc<br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.06.2014 19:54, schrieb Marco
Pizzoli:<br>
</div>
<blockquote
cite="mid:CAMrrtwu7pR0pi7XGrpchvhticdq73fxf=rwBxYCL1fAdSEgSkQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marc,
<div>as F5 user maybe you are not yet aware that with F5,
leveraging iRules, you can:</div>
<div>- implement client cert verification/validation, also
specifically checking the CN of the certificate</div>
<div>- publish to the apache backend custom HTTP headers
carrying informations extracted from the client certificate</div>
<div><br>
</div>
<div>Both cases are well documented on the F5 site. The first
one in particular I can say by having implemented on my own.</div>
<div><br>
</div>
<div>Is it something useful to your case?</div>
<div><br>
</div>
<div>Regards</div>
<div>Marco</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Jun 28, 2014 at 5:04 PM, Marc
Schöchlin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ms@256bit.org" \
target="_blank">ms@256bit.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class=""><br>
On 06/26/2014 04:08 PM, <a moz-do-not-send="true"
href="mailto:Andre.Wendel@bmw.de">Andre.Wendel@bmw.de</a>
wrote:<br>
> Why do you terminate the ssl on the F5 and not on the
Apache-backend? We load balance IP/Port-based on the F5
and terminate the SSL on the Apache backend, so you would
be able to turn on your SSLEngine and Proxy the SSL from
the F5 on the SSL Standard SSL Port 443 of the Apache and
you can do everything you want because you have all SSL
information.<br>
<br>
</div>
i use a wildcard certificate on my frontend ip to do
irule-based (looking for the hostheader) backend pool
selection.<br>
Therefore it would be good to terminate ssl in the f5.<br>
<br>
I will now use a new frontend ip on the loadbalancer and i
then i will forward the traffic to the backend servers....<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Marc<br>
<br>
--<br>
GPG encryption available: 0x670DCBEC/<a
moz-do-not-send="true"
href="http://pool.sks-keyservers.net" \
target="_blank">pool.sks-keyservers.net</a><br> </font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a moz-do-not-send="true"
href="mailto:users-unsubscribe@httpd.apache.org">users-unsubscribe@httpd.apache.org</a><br>
For additional commands, e-mail: <a
moz-do-not-send="true"
href="mailto:users-help@httpd.apache.org">users-help@httpd.apache.org</a><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic