|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2011
/
2011-03
/
Using Private Key for Client Auth with Pound
[
arguments / Adrian padilla ... ]
[
URL match to go to a Backend - how? / Pound ... ]
Using Private Key for Client Auth with Pound
Pound Rproxy <poundrproxy(at)yahoo.com> |
2011-03-12 10:18:20 |
[ SNIP ]
|
I currently have a server that has a self-signed SSL cert and viewing it is
restricted by using a private key that's been exported to Firefox.
I want to put Pound in front of this and 1 other server, so that both are using
the same https listener in pound.cfg and the same private key on the client end
for restricting access.
My confusion is mostly around where to generate the server.pem for Pound.
Do I generate the server.pem and private browser key on the pound server or
import the server.pem from a backend server?
If the second option, does this mean I can only have one SSL backend per Pound
instance?
I'm just at point of testing now (creating keys takes me a while) and have
created a new CA, self-signed cert, pem file, and private key on the Pound
server.
I have commented out all SSL stuff in the Apache httpd.conf files on both
backend servers so now they should just pass http requests back to Pound.
I've tested that each backend resolves with http and without need for a private
key, as I want Pound to handle this.
But I can't get Pound to resolve the backends. Am I doing something wrong or
that isn't possible?
Here's my pound.cfg so far:
ListenHTTPS
Address 192.168.1.140
Port 443
Cert "/usr/etc/server.pem"
LogLevel 2
Service
BackEnd
Address 192.168.1.141
Port 8080
End
End
Service
BackEnd
Address 192.168.1.142
Port 8083
End
End
End
|
|
|
|
|
Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Dave Steinberg <dave(at)redterror.net> |
2011-03-12 16:01:46 |
[ SNIP ]
|
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per
Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
|
|
|
Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Pound Rproxy <poundrproxy(at)yahoo.com> |
2011-03-13 05:55:34 |
[ SNIP ]
|
Thanks Dave,
I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =)
__but__ it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:
<Directory />
...normal stuff...
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>
and:
SSLEngine On
SSL Cert dirs...
----> SSLVerifyClient require
etc
The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for
backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the
pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.
Please keep the suggestions coming, I'm slowing learning here! :D
________________________________
From: Dave Steinberg <dave(at)redterror.net>
To: pound(at)apsis.ch
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per
Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
|
|
|
|
|
Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Pound Rproxy <poundrproxy(at)yahoo.com> |
2011-03-13 13:12:20 |
[ SNIP ]
|
Hi Dave,
Scratch my last email - I found: ClientCert.
I use:
ClientCert 2 2
to force using a client cert and 2 deep (hopefully mirroring 'SSLVerifyDepth
2'
that I had in 141's apache httpd.conf before moving ssl to pound).
This gives me the error:
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)
So I'm on the right track but it looks like I need to include CAlist and
VerifyList.
I read about (and hopefully understood) the difference between these but my
trouble begins when trying understand how to correctly create them.
For VerifyList, I:
openssl x509 -in my_CA.crt -out my_CA.pem
For CAlist, I:
cat my_CA.pem > my_CA_list.pem
These are accepted by pound, but now the browser error I get is:
The connection to the server was reset while the page was loading.
I think I have the VerifyList pem made properly, but I'm unsure if the CAlist
is
really just a copy of my_CA.pem (if only one CA is listed as in my situation).
Where may I be going wrong above?
________________________________
From: Pound Rproxy <poundrproxy(at)yahoo.com>
To: pound(at)apsis.ch
Sent: Sun, March 13, 2011 5:55:34 PM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Thanks Dave,
I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =)
__but__ it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:
<Directory />
...normal stuff...
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>
and:
SSLEngine On
SSL Cert dirs...
----> SSLVerifyClient require
etc
The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for
backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the
pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.
Please keep the suggestions coming, I'm slowing learning here! :D
________________________________
From: Dave Steinberg <dave(at)redterror.net>
To: pound(at)apsis.ch
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per
Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
|
|
|
|
|
Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Pound Rproxy <poundrproxy(at)yahoo.com> |
2011-03-14 00:26:42 |
[ SNIP ]
|
And...
now scratch my last email too as I found I was using an old client cert! LOL
(Slaps forehead!)
All is working perfectly now, though I wish I could use the following that I
had
in Apache's httpd.conf:
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
It added another level of security in checking the uniqueness of client certs.
But I'm waaay impressed by Pound and what it can do - client cert auth handled
by Pound is so cool and saves me so much fuss with backend auths. :D
(Now to post another email asking how to redirect in the way I need to the
second backend without changing the docroot on that server. =)
Thanks!
________________________________
From: Pound Rproxy <poundrproxy(at)yahoo.com>
To: pound(at)apsis.ch
Sent: Mon, March 14, 2011 1:12:20 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Hi Dave,
Scratch my last email - I found: ClientCert.
I use:
ClientCert 2 2
to force using a client cert and 2 deep (hopefully mirroring 'SSLVerifyDepth
2'
that I had in 141's apache httpd.conf before moving ssl to pound).
This gives me the error:
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)
So I'm on the right track but it looks like I need to include CAlist and
VerifyList.
I read about (and hopefully understood) the difference between these but my
trouble begins when trying understand how to correctly create them.
For VerifyList, I:
openssl x509 -in my_CA.crt -out my_CA.pem
For CAlist, I:
cat my_CA.pem > my_CA_list.pem
These are accepted by pound, but now the browser error I get is:
The connection to the server was reset while the page was loading.
I think I have the VerifyList pem made properly, but I'm unsure if the CAlist
is
really just a copy of my_CA.pem (if only one CA is listed as in my situation).
Where may I be going wrong above?
________________________________
From: Pound Rproxy <poundrproxy(at)yahoo.com>
To: pound(at)apsis.ch
Sent: Sun, March 13, 2011 5:55:34 PM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Thanks Dave,
I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =)
__but__ it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:
<Directory />
...normal stuff...
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>
and:
SSLEngine On
SSL Cert dirs...
----> SSLVerifyClient require
etc
The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for
backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the
pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.
Please keep the suggestions coming, I'm slowing learning here! :D
________________________________
From: Dave Steinberg <dave(at)redterror.net>
To: pound(at)apsis.ch
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per
Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
|
|
|
|
|
|
