Forum Discussion
Nick_68106
Nimbostratus
NimbostratusSSL client cert auth between two Apache servers
Greetings all,
I have been bouncing around the idea of having one of my Apache servers authenticate against the other Apache server using Client SSL Certs. However I can not find a way to make Apache send a Client certificate when it initiates the request, using mod_proxy, to the other Apache server. However both Apache servers reside behind VIPs on LTMs. So what I am thinking is writing an iRule on Apache server A VIP to include the Client SSL cert when making a request to Apache server B VIP.
Before I start trying to tackle this I was wondering if anyone has done something similar , I have searched around the forums with minimal success but some good starting points.
Any pointers? Has anyone tried this before? Is it even possible?
Thanks in advance,
-Nick
hooleylistCirrostratus
Hi Nick,
Can you give some background on why you want to do this?
You could have LTM send a client cert when it load balances a VS connection to a pool member (like the destination Apache server). You can do this using a custom server SSL profile. This wouldn't validate the Apache server acting as a client, but it would allow you to require a client cert on any connections to the destination Apache server.
Aaron
Nick_68106Thanks for the reply hoolio,
The reason for this is wanting to get away from username/password authentication between the two web servers and force a stronger authentication method. However you bring up a very valid point "this wouldn't validate the Apache server acting as a client". I over looked that when I started to realize this would be possible to accomplish in the load balancer.
Thank you for the quick response. I think you saved me from going down the wrong road. I am going to head back to mod_proxy land and see if I can get it to work there.
Cheers,
--Nick