On Thu, Apr 20, 2000 at 09:39:47AM +0200, Joe Ammann wrote:
> Now for the application I will be using it, I will have to hack it up
> a bit. The requirements are that the proxy uses different (client)
> certificates towards the back end server depending on several
> parameters (where is the request coming from, etc.). Looking at the
> code, I think it doesn't have that capability yet.
Hmmm - I haven't had time to look through the new proxy code in detail,
but I think you're right that it is "one cert only" - unless these
options can be set on a per virtual host basis? Because then you could
do a really ugly hack "double proxy" hack having the different Machine
certs spread over a range of 127.0.0.1:xxxxx vhosts. There is a couple
of things to note about that sort of approach: every time you change
the certificate, then a new RSA handshake has to be made, and that will
use ekstra cpu. While I'm having a go at dirty hacks, one other be
setting up a load of stunnel [1] SSL tunnels to listen locally on your
server with each of their own client cert. Then your frontend would
just use standard ProxyPass and choose the right stunnel based on
whatever access rules you have. But the warning about bad performance
and plenty of chances to make mistakes ;-)
If you do have control of both front- and backend servers, and just
need to pass some info to the backend server, then you could go for
a solution along the lines of mod_proxy_add_forward[2], which would be
relatively simple to implement and much faster.
Maybe you need something completely different? but I'm too low on
caffeine to give a better explanation right now ;-)
>
> Who is maintaining this part? I'd like to discuss so that I maybe can
> do my things in a way that might be useful for others, too?
>
As with everything else in mod_ssl (and quite a few other packages), it
is Ralf who does all the work. But don't be surprised if you get one of
his "busy-autoreplies" - you might find it easier to send some of your
ideas to the list.
[1] http://mike.daewoo.com.pl/computer/stunnel/
[2] ftp://ftp.netcetera.dk/pub/apache/mod_proxy_add_forward.c
vh
Mads Toftum
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
