Forum Discussion

Nick_68106's avatar
Nick_68106
Icon for Nimbostratus rankNimbostratus
Feb 25, 2011

SSL client cert auth between two Apache servers

Greetings all,

 

I have been bouncing around the idea of having one of my Apache servers authenticate against the other Apache server using Client SSL Certs. However I can not find a way to make Apache send a Client certificate when it initiates the request, using mod_proxy, to the other Apache server. However both Apache servers reside behind VIPs on LTMs. So what I am thinking is writing an iRule on Apache server A VIP to include the Client SSL cert when making a request to Apache server B VIP.

 

 

Before I start trying to tackle this I was wondering if anyone has done something similar , I have searched around the forums with minimal success but some good starting points.

 

 

Any pointers? Has anyone tried this before? Is it even possible?

 

 

Thanks in advance,

 

-Nick

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2011
    Hi Nick,

     

     

    Can you give some background on why you want to do this?

     

     

    You could have LTM send a client cert when it load balances a VS connection to a pool member (like the destination Apache server). You can do this using a custom server SSL profile. This wouldn't validate the Apache server acting as a client, but it would allow you to require a client cert on any connections to the destination Apache server.

     

     

    Aaron
  • Nick_68106's avatar
    Nick_68106
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2011
    Thanks for the reply hoolio,

     

    The reason for this is wanting to get away from username/password authentication between the two web servers and force a stronger authentication method. However you bring up a very valid point "this wouldn't validate the Apache server acting as a client". I over looked that when I started to realize this would be possible to accomplish in the load balancer.

     

     

    Thank you for the quick response. I think you saved me from going down the wrong road. I am going to head back to mod_proxy land and see if I can get it to work there.

     

     

    Cheers,

     

    --Nick