Yasser -
As Tom mentioned in his response, you must terminate SSL, there is no
"passthrough". However, what I think you are looking for is the ability to do
terminiate SSL at apache and pass the client certificate as part of the request
that you forward to Jboss. If this is the case, you can do the following with
mod_jk/apache:
Within your vhost context:
#Define your ssl bits as needed to correctly terminate the two way handshake:
SSLEngine on
SSLCertificateKeyFile $FULL_PATH_TO_FILENAME
SSLCertificateChainFile $FULL_PATH_TO_FILENAME
SSLCACertificateFile $FULL_PATH_TO_FILENAME
SSLCertificateFile $FULL_PATH_TO_FILENAME
SSLInsecureRenegotiation on
# The following directive will include the client certificate that is presented
for 2way ssl in the data sent to your application server:
SSLOptions +ExportCertData +StdEnvVars
If you use mod_jk to pass your connection from apache to jboss, you'll need to
define the following:
uriworkermap.properties:
/path/to/url/you/want/to/forward*=$WORKER_NAME
workers.properties:
worker.list=$WORKER_NAME
worker.node1.port=$JBOSS_LISTENING_PORT
worker.node1.host=$JBOSS_HOSTNAME_OR_IP
worker.node1.type=ajp13
worker.node1.ping_mode=A
worker.node1.socket_timeout=20
Cheers-
Sandy
-----Original Message-----
From: Tom Evans [mailto:tevans...@googlemail.com]
Sent: Thursday, March 03, 2011 12:45 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache module suitable for SSL passthrough
On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <yarafa...@gmail.com> wrote:
> Hello all,
>
> My JBoss app server has mutual SSL authentication setup (We do some
> processing based on the client certificate).
>
> I need to have a web server in front of JBoss. Which is the best apache
> module that can do an SSL passthrough to JBoss?
>
>
>
> Thank and regards,
>
> Yasser
>
>
There is no such thing as SSL pass through - SSL is an end to end
encryption protocol, there can be no middle.
You can do SSL termination on apache and forward the appropriate
sections of the client certificate through to jboss as custom HTTP
headers. You cannot do SSL termination on apache and re-present the
client certificate to jboss.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
