9

I have an Apache HTTPD working as a reverse proxy, and Tomcat(6.0.35) server(s), what I'm trying to achieve is that there will be mutual trust between the Tomcat server and the reverse proxy. Meaning that when reverse proxy forwards a request it will present it's own certificate that will be imported into Tomcat's truststore file thus making the Tomcat accept requests only when they really are made by the reverse proxy(and if possible maybe even check that the tomcat's certificate is a certain specific certificate). I have managed to setup a Tomcat that requires a client certificate and it works perfectly but the correct reverse proxy configuration seems to be eluding me.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Scis
  • 2,934
  • 3
  • 23
  • 37
  • 1
    Why?> Normally the Apache HTTPD and the Tomcats are in the same LAN and don't have to establish trust relationships at all. Usually the client SSL connection terminates at the HTTPD. – user207421 Jul 04 '12 at 11:38
  • 2
    Well let's just say that it's not exactly the usual use-case\topology :) And we need an extra security. – Scis Jul 04 '12 at 12:47

1 Answers1

11

You should try the SSLProxyMachineCertificateFile option and point it to a file containing your client certificate and its (unencrypted) private key in PEM format.

Vrushank
  • 2,763
  • 3
  • 27
  • 41
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 5
    Thanks :) I have just found this myself and was writing an answer. I think it's important to point people to [this](http://stackoverflow.com/q/1180397/) and say that after creating a .p12 file, in order to use it as a file in the SSLProxyMachineCertificateFile directive one should run openssl pkcs12 -in your_file.p12 -out bla.pem -nodes in order to export a passphrase-less key and certificate(you'll make your SSLProxyMachineCertificateFile point to that file). Later if Tomcat has to play a client role adding the p12 to it's keystore does the trick. – Scis Jul 04 '12 at 11:35