On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu < nagu.sittampa...@southampton.gov.uk> wrote:
> What we are trying achieve is like you said SSL termination at Apache > httpd and reverse proxy to backend server over SSL but we need to send > through client authentication header. This is so we can give internet > based clients access to our Microsoft SCCM 2012 management point. Would > you be able to point to any documents on how to do this please. Below > what Microsoft say about it. > > > > ยท SSL bridging to SSL: > > The recommended configuration when you use proxy web servers for > Internet-based client management is SSL bridging to SSL, which uses SSL > termination with authentication. Client computers must be authenticated by > using computer authentication, and mobile device legacy clients are > authenticated by using user authentication. Mobile devices that are > enrolled by Configuration Manager do not support SSL bridging. > > The benefit of SSL termination at the proxy web server is that packets > from the Internet are subject to inspection before they are forwarded to > the internal network. The proxy web server authenticates the connection > from the client, terminates it, and then opens a new authenticated > connection to the Internet-based site systems. When Configuration Manager > clients use a proxy web server, the client identity (client GUID) is > securely contained in the packet payload so that the management point does > not consider the proxy web server to be the client. Bridging is not > supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to > HTTP. > > > It is a mystery to me. The language in the MS document seems to be referring to some information other than the normal HTTP headers that must be replicated to the back-end connection. > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: > 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk | e-mail > nagu.sittampa...@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > *From:* Jeff Trawick [mailto:traw...@gmail.com] > *Sent:* 23 January 2014 14:01 > > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy > > > > On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu < > nagu.sittampa...@southampton.gov.uk> wrote: > > Thank you for the response and yes it is not reverse proxy anymore. Is my > assumption correct that Apache reverse proxy is not cable of doing SSL > bridging? > > > > I'm not familiar with the term "SSL bridging". I see a description of > "SSL bridging" in BIG-IP here: http://www.f5.com/glossary/ssl-bridging/ > Apache httpd does not have that capability. But Microsoft has a > different description of "SSL bridging" here: > http://technet.microsoft.com/en-us/library/cc722817.aspx > > > > What are you trying to accomplish? SSL termination at Apache httpd, and > reverse proxy to backend server over SSL? Yes, that is implemented. > > > > > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: > 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk | e-mail > nagu.sittampa...@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > *From:* Jeff Trawick [mailto:traw...@gmail.com] > *Sent:* 23 January 2014 13:29 > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy > > > > On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu < > nagu.sittampa...@southampton.gov.uk> wrote: > > Hello > > > > I did not get any response to my below email so I assume SSL bridging > cannot be done on Apache reverse proxy. So wanted to know if it is > possible to do SSL tunnelling with Apache reverse proxy? > > > > "Reverse" proxy hides the backend server from the client, and the httpd > doing the proxying is the SSL termination point. I don't think you mean to > refer to "reverse" proxy. > > > > See the notes on the CONNECT protocol support here: > > > > http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html > > > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: > 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk | e-mail > nagu.sittampa...@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > > > _____________________________________________ > *From:* Sittampalam, Nagu > *Sent:* 17 January 2014 08:05 > *To:* 'users@httpd.apache.org' > *Subject:* SSL bridging with Apache reverse proxy > > > > > > Hello > > > > Is it possible to do SLL bridging with Apache reverse proxy? Searching on > the internet most result suggest it does not work. We want to use Apache > reverse proxy to allow internet clients to connect to our Microsoft SCCM > 2012 server. This requires SLL bridging with the ability to pass through > client authentication header information. > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax: > 02380 832973 | e-mail nagu.sittampa...@southampton.gov.uk | e-mail > nagu.sittampa...@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > > > > > > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > > > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > -- Born in Roswell... married an alien... http://emptyhammock.com/
