Concept about how to SSL offload and load balance with... Version: 2011.02.18-06 Author: Margus Pärt

Concept about how to SSL offload and load balance with Apache2
Version: 2011.02.18-06
Author: Margus Pärt
1. About this document...............................................................................................................2
2. Description of the idea............................................................................................................3
3. Why to use this solution..........................................................................................................4
3.1 Upsides.............................................................................................................................4
3.2 Downsides........................................................................................................................4
4. SSL offloader and Load balancer............................................................................................5
4.1 Description of tasks..........................................................................................................5
4.2 Install................................................................................................................................6
4.3 Base configuration............................................................................................................8
4.4 Confirm that everything is working...............................................................................15
4.5 Configuration procedure examples................................................................................15
4.6 Upgrading.......................................................................................................................17
4.7 Backup and restore.........................................................................................................17
5. Backend server configuration...............................................................................................19
5.1 Apache2..........................................................................................................................19
5.2 Weblogic.........................................................................................................................22
5.3 Jboss, Tomcat.................................................................................................................22
6. Configuration recommendations/notes.................................................................................23
6.1 Apache............................................................................................................................23
6.2 Loadbalancing................................................................................................................23
7. Known problems...................................................................................................................24
8. Links......................................................................................................................................25
9. Appendix...............................................................................................................................26
9.1 How SSL offload is configured usually and how with this solution..............................26
9.2 Short comparison between mod_weblogic and mod_balancer stickyness and fail over
..............................................................................................................................................26
9.3 Helpful commands.........................................................................................................26
9.4 Helpful tuning directives................................................................................................26
9.5 Helpful security directives..............................................................................................26
9.6 How to create necessary headers setting file in ruby.....................................................27
1.
About this document
Newest version is always kept in: https://apache2-ssloffload-andloadbalance.googlecode.com/svn/trunk/Documentation/ (.odt and .pdf files).
Concept described in this document can be used on every OS, copy-paste to Bash is tested to
work on Ubuntu Maverick (10.10) and Debian Squeeze (6). This solution's copy-paste to
bash does not work with previous Debian (Lenny), because there is no support for
APACHE_CONFDIR.
This document covers SSL offloading and balancing concept + step-by-step manual, how to
implement it. This document does not cover, how to secure Apache2 (conf.d/security,
mod_security etc) or explanations for directives used – please use
http://httpd.apache.org/docs/current/
Version history:
What
When
Who
Changed header names from
2011.02.18-06
SSL_CLIENT_S_DN to Ssl-Client-S-Dn etc,
because its more conventional and now Tomcat,
what uses Ssl-Client-Verify and Ssl-Client-S-Dn,
is supported for the backend by default.
http://www.ietf.org/rfc/rfc2047.txt
Added “Multiply SSL offloaders and balancers
for high availability (active-active mode)”
2011.02.10-0.5
In configs some of the variables ($) were not
escaped.
2011.02.10-0.4
Added image to description.
2011.02.07-0.3
Added “About this document” and “Upgrade
steps”.
2011.02.06-0.2
Initial.
2011.02.06-0.1
Margus Pärt
2
2.
Description of the idea
SSL offload and balancing.
Not to repeat configuration so much, also to make logic more separated, one Apache2 binary
is ran with two different configurations:
• SSL offloader (In folder: /etc/apache2-ssloffloader) (It takes also HTTP requests from
user)
• Load balancer (In folder: /etc/apache2-balancer)
Listen addresses:
• SSL offloader listens at external IP
• Load balancer listens at 127.0.0.1, only SSL offloader can send request to this address
Requests path steps (abstract example, there are more variables and headers involved):
1. Client opens connection to 80 or 443, sends HTTP request: “GET /something
HTTP/1.0 \n Host: www.example.ee \n SSL_HEADER: h2xx”
2. SSL offloader deletes SSL_HEADER and sets a new one from Apache2 env variable
named SSL_HEADER, adds client info, and with ProxyPass sends request to Load
balancer: “GET /something HTTP/1.0 \n Host: www.example.ee \n SSL_HEADER:
fixed \n X-Forwarded-For: 123.231.123.231”
3. Load balancer sends request to correct backend server
4. Backend server (response to requests)
5. .. and reverse way through the chain back to the client
3
3.
Why to use this solution
3.1
Upsides
3.1.1
You don't have to repeat configuration in both 443 or 80
1.)
Common
For example, if I want to have RewriteRule from / to /otherurl using ordinary configuration, I
have to define this rule both in :443 and :80 configuration. And the same for all the rules.
(Using Apache's Include directive for common directives would be alternative, but then you
would have 3 files (HTTPS, HTTP and file to be included in both configurations.)
2.)
This solution
Although I have to create:
• SSL offloader Virtualhost
• balancer:// definition
• balancer Virtualhost
(also 3 files), they are more logically separated and can be refactored more easily.
3.1.2
You can have multiple different domains behind one wilcard certificate Virtualho st
(only one IP and port will be used)
1.)
Common
Even if I am using SNI, different Virtualhosts for different domains in different backend
server, have to be created.
2.)
This solution
One wildcard certificate can be used for different backend servers.
3.2
Downsides
3.2.1
Logic differs from conventional Apache2
1.)
Common
One Apache binary is ran with config from /etc/apache2.
2.)
This solution
Two apache proccesses will be running with config from /etc/apache2-ssloffloader and
/etc/apache2-balancer.
4
4.
SSL offloader and Load balancer
4.1
Description of tasks
4.1.1
SSL offloader's functional tasks
1. Take requests on ports 80 and 443 from clients, SSL VirtualHosts need to be defined
in directory: /etc/apache2-ssloffloader/sites-enabled, certificates are kept in
directory: /etc/certificates-apache2.
2. Clean headers from client sent data (unset SSL_CLIENT_CERT etc); set correct
headers for backend server from env values, so backend server knows if client is
authenticated. Setting headers for backend server is done in file: /etc/apache2ssloffloader/conf.d/ssl_offload_headers
3. Default SSLVerifyClient URL-s for all the hosts is defined in file: /etc/apache2ssloffloader/conf.d/ssl_smartcard_auth_url
4. Forward request to balancer.proxy, proxy configuration is defined in file: /etc/apache2ssloffloader/mods-enabled/proxy.conf and ProxyPass has to be done in VirtualHost
definition for SSL offloader file: /etc/apache2-ssloffloader/sitesenabled/name.of.site.conf
4.1.2
SSL offloader's informative tasks
1. Log requests, logging is defined in file: /etc/apache2-ssloffloader/conf.d/logging
2. Show server status at http://server/ssloffloader-status, defined in file: /etc/apache2ssloffloader/conf.d/serverinfo-status
4.1.3
Load balancer's functional tasks
1. Take requests for port 80, name based virtualhosts are defined in directory:
/etc/apache2-balancer/sites-enabled (I'd recommend use filname format:
domain.subdomain.subdomain.conf)
2. Proxy requests for correct backend node, using balancers configured in directory:
/etc/apache2-balancer/balancers and proxy configured in /etc/apache2-balancer/modsenabled/proxy.conf
4.1.4
Load balancer's informative tasks
1. Log requests, logging is defined in file: /etc/apache2-balancer/conf.d/logging
2. Show server status at http://server/balancer-status, defined in file: /etc/apache2balancer/conf.d/serverinfo-status
3. Show and let configure balancers at http://server/balancer-manager, defined in file:
/etc/apache2-balancer/conf.d/serverinfo-balancermanager
5
4.1.5
Backend server/application's functional tasks
1. Receive request and understand if user has done smartcard authentication: for
apache: /etc/apache2/conf.d/ssl_env_values_from_headers, for weblogic (Client Cert
Proxy Enabled in Console, or “<client-cert-proxy-enabled>” in web.xml)
2. Response
4.2
Install
4.2.1
Preconditions
1. Clean install of Debian, no changes to Apache default configuration files.
4.2.2
Debian Packages
# Install Apache2
apt-get install apache2 libapache2-mod-rpaf
4.2.3
Create base (create two different Apache configurations for one binary)
# Please set correct env value for external IP
LB_EXTERNAL_IP='192.168.0.9'
LB_INTERNAL_IP='127.0.0.1'
# Create host file for our needs (So we can duplicate configurations to other servers, without changing them.)
echo $LB_EXTERNAL_IP ssloffloader.proxy >> /etc/hosts
echo $LB_INTERNAL_IP balancer.proxy >> /etc/hosts
# Remove unnessesary VirtualHosts
rm -rf /etc/apache2/sites-enabled/* /etc/apache2/sites-available/*
# Copy (or create) nessesary structure
cp -a /etc/apache2 /etc/apache2-ssloffloader
cp -a /etc/default/apache2 /etc/default/apache2-ssloffloader
cp -a /var/log/apache2 /var/log/apache2-ssloffloader
cp -a /etc/apache2 /etc/apache2-balancer
cp -a /etc/default/apache2 /etc/default/apache2-balancer
cp -a /var/log/apache2 /var/log/apache2-balancer
mkdir -p /etc/apache2-balancer/balancers
# Close and disable default Apache2 configuration
/etc/init.d/apache2 stop
update-rc.d apache2 remove
chmod 000 /etc/apache2
# Create startup script for apache2-ssloffloader
cat > /etc/init.d/apache2-ssloffloader <<EOF
#!/bin/sh
6
### BEGIN INIT INFO
# Provides: apache2-ssloffloader
# Required-Start: \$local_fs \$remote_fs \$network \$syslog \$named
# Required-Stop: \$local_fs \$remote_fs \$network \$syslog \$named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: true
# Short-Description: Start/stop apache2-ssloffloader web server
### END INIT INFO
APACHE_CONFDIR='/etc/apache2-ssloffloader' /etc/init.d/apache2 \$1
EOF
chmod 755 /etc/init.d/apache2-ssloffloader
# Create startup script for apache2-balancer
cat > /etc/init.d/apache2-balancer <<EOF
#!/bin/sh
### BEGIN INIT INFO
# Provides:
apache2-balancer
# Required-Start: \$local_fs \$remote_fs \$network \$syslog \$named
# Required-Stop: \$local_fs \$remote_fs \$network \$syslog \$named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: true
# Short-Description: Start/stop apache2-balancer web server
### END INIT INFO
APACHE_CONFDIR='/etc/apache2-balancer' /etc/init.d/apache2 \$1
EOF
chmod 755 /etc/init.d/apache2-balancer
# Set external interface IP for SSL offloader (its for external connections, both SSL and HTTP are supported)
cat > /etc/apache2-ssloffloader/ports.conf <EOF
NameVirtualHost *:80
Listen ssloffloader.proxy:80
<IfModule mod_ssl.c>
Listen ssloffloader.proxy:443
</IfModule>
<IfModule mod_gnutls.c>
Listen ssloffloader.proxy:443
</IfModule>
EOF
# Set internal interface listening for balancer to lo (localhost)
cat > /etc/apache2-balancer/ports.conf <EOF
NameVirtualHost balancer.proxy:80
Listen balancer.proxy:80
EOF
# Set default DocumentRoots
echo DocumentRoot /var/www > /etc/apache2-ssloffloader/conf.d/documentroot
echo DocumentRoot /var/www > /etc/apache2-balancer/conf.d/documentroot
# Enable/disable nessesary modules
APACHE_CONFDIR='/etc/apache2-ssloffloader' a2enmod proxy proxy_connect proxy_http rewrite headers ssl
APACHE_CONFDIR='/etc/apache2-balancer' a2enmod proxy proxy_connect proxy_http rewrite headers proxy_balancer
7
rpaf
APACHE_CONFDIR='/etc/apache2-ssloffloader' a2dismod rpaf
# Create directory for internal balancers and do that content of this folder is loaded
mkdir -p /etc/apache2-balancer/balancers
echo Include /etc/apache2-balancer/balancers/*conf > /etc/apache2-balancer/conf.d/include_balancers
# Set automatic start after reboot
update-rc.d apache2-ssloffloader defaults
update-rc.d apache2-balancer defaults
# Restart both services. In result you have two different Apache configuration on different IP-s running.
/etc/init.d/apache2-ssloffloader restart
/etc/init.d/apache2-balancer restart
# Check that processes are working (if you got some certificate error, you have to create certificates)
ps aux | grep apache2
4.3
Base configuration
4.3.1
SSL offloader's functional tasks
# Take requests for both 80 and 443 directly from client
# SSL VirtualHosts need to be defined in directory: /etc/apache2-ssloffloader/sites-enabled, certificates are
# kept in directory: /etc/certificates-apache2
cat > /etc/apache2-ssloffloader/sites-enabled/proxy.balancer.conf <<EOF
<VirtualHost *:80>
ProxyPass / http://balancer.proxy/
</VirtualHost>
EOF
cat > /etc/apache2-ssloffloader/sites-enabled/ee.example.wildcard.conf <<EOF
<VirtualHost ssloffloader.proxy:443>
ProxyPass / http://balancer.proxy/
# + Certificates
SSLEngine on
SSLCertificateFile /etc/certificates-apache2/sites/wildcard.example.ee.crt
SSLCertificateKeyFile /etc/certificates-apache2/sites/wildcard.example.ee.key
SSLCertificateChainFile /etc/certificates-apache2/sites/juur-thawte.crt
SSLCACertificateFile /etc/certificates-apache2/ssl.crt/id.crt
</VirtualHost>
EOF
# Headers cleaning from client sent data;
# setting headers for backend server is done in file: /etc/apache2-ssloffloader/conf.d/ssl_offload_headers
cat > /etc/apache2-ssloffloader/conf.d/ssl_offload_headers <<EOF
#############################################
# COMMON
#############################################
8
# UNSET COMMOND HEADERS
RequestHeader unset Proxy-Client-IP
RequestHeader unset X-Forwarded-For
#############################################
# Apache
#############################################
# CLEAN APACHE SSL HEADERS
RequestHeader unset Https
RequestHeader unset Ssl-Protocol
RequestHeader unset Ssl-Session-Id
RequestHeader unset Ssl-Cipher
RequestHeader unset Ssl-Cipher-Export
RequestHeader unset Ssl-Cipher-Algkeysize
RequestHeader unset Ssl-Cipher-Usekeysize
RequestHeader unset Ssl-Version-Library
RequestHeader unset Ssl-Version-Interface
RequestHeader unset Ssl-Client-M-Version
RequestHeader unset Ssl-Client-M-Serial
RequestHeader unset Ssl-Client-V-Start
RequestHeader unset Ssl-Client-V-End
RequestHeader unset Ssl-Client-S-Dn
RequestHeader unset Ssl-Client-S-Dn-C
RequestHeader unset Ssl-Client-S-Dn-St
RequestHeader unset Ssl-Client-S-Dn-L
RequestHeader unset Ssl-Client-S-Dn-O
RequestHeader unset Ssl-Client-S-Dn-Ou
RequestHeader unset Ssl-Client-S-Dn-Cn
RequestHeader unset Ssl-Client-S-Dn-T
RequestHeader unset Ssl-Client-S-Dn-I
RequestHeader unset Ssl-Client-S-Dn-G
RequestHeader unset Ssl-Client-S-Dn-S
RequestHeader unset Ssl-Client-S-Dn-D
RequestHeader unset Ssl-Client-S-Dn-Uid
RequestHeader unset Ssl-Client-S-Dn-Email
RequestHeader unset Ssl-Client-I-Dn
RequestHeader unset Ssl-Client-I-Dn-C
RequestHeader unset Ssl-Client-I-Dn-St
RequestHeader unset Ssl-Client-I-Dn-L
RequestHeader unset Ssl-Client-I-Dn-O
RequestHeader unset Ssl-Client-I-Dn-Ou
RequestHeader unset Ssl-Client-I-Dn-Cn
RequestHeader unset Ssl-Client-I-Dn-T
RequestHeader unset Ssl-Client-I-Dn-I
RequestHeader unset Ssl-Client-I-Dn-G
RequestHeader unset Ssl-Client-I-Dn-S
RequestHeader unset Ssl-Client-I-Dn-D
RequestHeader unset Ssl-Client-I-Dn-Uid
RequestHeader unset Ssl-Client-I-Dn-Email
RequestHeader unset Ssl-Client-A-Sig
RequestHeader unset Ssl-Client-A-Key
RequestHeader unset Ssl-Client-Cert
RequestHeader unset Ssl-Client-Cert-Chain-N
RequestHeader unset Ssl-Client-Verify
RequestHeader unset Ssl-Server-M-Version
RequestHeader unset Ssl-Server-M-Serial
RequestHeader unset Ssl-Server-V-Start
RequestHeader unset Ssl-Server-V-End
9
RequestHeader unset Ssl-Server-S-Dn
RequestHeader unset Ssl-Server-S-Dn-C
RequestHeader unset Ssl-Server-S-Dn-St
RequestHeader unset Ssl-Server-S-Dn-L
RequestHeader unset Ssl-Server-S-Dn-O
RequestHeader unset Ssl-Server-S-Dn-Ou
RequestHeader unset Ssl-Server-S-Dn-Cn
RequestHeader unset Ssl-Server-S-Dn-T
RequestHeader unset Ssl-Server-S-Dn-I
RequestHeader unset Ssl-Server-S-Dn-G
RequestHeader unset Ssl-Server-S-Dn-S
RequestHeader unset Ssl-Server-S-Dn-D
RequestHeader unset Ssl-Server-S-Dn-Uid
RequestHeader unset Ssl-Server-S-Dn-Email
RequestHeader unset Ssl-Server-I-Dn
RequestHeader unset Ssl-Server-I-Dn-C
RequestHeader unset Ssl-Server-I-Dn-St
RequestHeader unset Ssl-Server-I-Dn-L
RequestHeader unset Ssl-Server-I-Dn-O
RequestHeader unset Ssl-Server-I-Dn-Ou
RequestHeader unset Ssl-Server-I-Dn-Cn
RequestHeader unset Ssl-Server-I-Dn-T
RequestHeader unset Ssl-Server-I-Dn-I
RequestHeader unset Ssl-Server-I-Dn-G
RequestHeader unset Ssl-Server-I-Dn-S
RequestHeader unset Ssl-Server-I-Dn-D
RequestHeader unset Ssl-Server-I-Dn-Uid
RequestHeader unset Ssl-Server-I-Dn-Email
RequestHeader unset Ssl-Server-A-Sig
RequestHeader unset Ssl-Server-A-Key
RequestHeader unset Ssl-Server-Cert
# SET APACHE SSL HEADERS REQUERED HEADERS FOR BACKEND SERVER FROM ENV VALUES (if they exist)
RequestHeader set Https "%{HTTPS}s" env=HTTPS
RequestHeader set Ssl-Protocol "%{SSL_PROTOCOL}s" env=SSL_PROTOCOL
RequestHeader set Ssl-Session-Id "%{SSL_SESSION_ID}s" env=SSL_SESSION_ID
RequestHeader set Ssl-Cipher "%{SSL_CIPHER}s" env=SSL_CIPHER
RequestHeader set Ssl-Cipher-Export "%{SSL_CIPHER_EXPORT}s" env=SSL_CIPHER_EXPORT
RequestHeader set Ssl-Cipher-Algkeysize "%{SSL_CIPHER_ALGKEYSIZE}s" env=SSL_CIPHER_ALGKEYSIZE
RequestHeader set Ssl-Cipher-Usekeysize "%{SSL_CIPHER_USEKEYSIZE}s" env=SSL_CIPHER_USEKEYSIZE
RequestHeader set Ssl-Version-Library "%{SSL_VERSION_LIBRARY}s" env=SSL_VERSION_LIBRARY
RequestHeader set Ssl-Version-Interface "%{SSL_VERSION_INTERFACE}s" env=SSL_VERSION_INTERFACE
RequestHeader set Ssl-Client-M-Version "%{SSL_CLIENT_M_VERSION}s" env=SSL_CLIENT_M_VERSION
RequestHeader set Ssl-Client-M-Serial "%{SSL_CLIENT_M_SERIAL}s" env=SSL_CLIENT_M_SERIAL
RequestHeader set Ssl-Client-V-Start "%{SSL_CLIENT_V_START}s" env=SSL_CLIENT_V_START
RequestHeader set Ssl-Client-V-End "%{SSL_CLIENT_V_END}s" env=SSL_CLIENT_V_END
RequestHeader set Ssl-Client-S-Dn "%{SSL_CLIENT_S_DN}s" env=SSL_CLIENT_S_DN
RequestHeader set Ssl-Client-S-Dn-C "%{SSL_CLIENT_S_DN_C}s" env=SSL_CLIENT_S_DN_C
RequestHeader set Ssl-Client-S-Dn-St "%{SSL_CLIENT_S_DN_ST}s" env=SSL_CLIENT_S_DN_ST
RequestHeader set Ssl-Client-S-Dn-L "%{SSL_CLIENT_S_DN_L}s" env=SSL_CLIENT_S_DN_L
RequestHeader set Ssl-Client-S-Dn-O "%{SSL_CLIENT_S_DN_O}s" env=SSL_CLIENT_S_DN_O
RequestHeader set Ssl-Client-S-Dn-Ou "%{SSL_CLIENT_S_DN_OU}s" env=SSL_CLIENT_S_DN_OU
RequestHeader set Ssl-Client-S-Dn-Cn "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
RequestHeader set Ssl-Client-S-Dn-T "%{SSL_CLIENT_S_DN_T}s" env=SSL_CLIENT_S_DN_T
RequestHeader set Ssl-Client-S-Dn-I "%{SSL_CLIENT_S_DN_I}s" env=SSL_CLIENT_S_DN_I
RequestHeader set Ssl-Client-S-Dn-G "%{SSL_CLIENT_S_DN_G}s" env=SSL_CLIENT_S_DN_G
RequestHeader set Ssl-Client-S-Dn-S "%{SSL_CLIENT_S_DN_S}s" env=SSL_CLIENT_S_DN_S
RequestHeader set Ssl-Client-S-Dn-D "%{SSL_CLIENT_S_DN_D}s" env=SSL_CLIENT_S_DN_D
RequestHeader set Ssl-Client-S-Dn-Uid "%{SSL_CLIENT_S_DN_UID}s" env=SSL_CLIENT_S_DN_UID
RequestHeader set Ssl-Client-S-Dn-Email "%{SSL_CLIENT_S_DN_Email}s" env=SSL_CLIENT_S_DN_Email
10
RequestHeader set Ssl-Client-I-Dn "%{SSL_CLIENT_I_DN}s" env=SSL_CLIENT_I_DN
RequestHeader set Ssl-Client-I-Dn-C "%{SSL_CLIENT_I_DN_C}s" env=SSL_CLIENT_I_DN_C
RequestHeader set Ssl-Client-I-Dn-St "%{SSL_CLIENT_I_DN_ST}s" env=SSL_CLIENT_I_DN_ST
RequestHeader set Ssl-Client-I-Dn-L "%{SSL_CLIENT_I_DN_L}s" env=SSL_CLIENT_I_DN_L
RequestHeader set Ssl-Client-I-Dn-O "%{SSL_CLIENT_I_DN_O}s" env=SSL_CLIENT_I_DN_O
RequestHeader set Ssl-Client-I-Dn-Ou "%{SSL_CLIENT_I_DN_OU}s" env=SSL_CLIENT_I_DN_OU
RequestHeader set Ssl-Client-I-Dn-Cn "%{SSL_CLIENT_I_DN_CN}s" env=SSL_CLIENT_I_DN_CN
RequestHeader set Ssl-Client-I-Dn-T "%{SSL_CLIENT_I_DN_T}s" env=SSL_CLIENT_I_DN_T
RequestHeader set Ssl-Client-I-Dn-I "%{SSL_CLIENT_I_DN_I}s" env=SSL_CLIENT_I_DN_I
RequestHeader set Ssl-Client-I-Dn-G "%{SSL_CLIENT_I_DN_G}s" env=SSL_CLIENT_I_DN_G
RequestHeader set Ssl-Client-I-Dn-S "%{SSL_CLIENT_I_DN_S}s" env=SSL_CLIENT_I_DN_S
RequestHeader set Ssl-Client-I-Dn-D "%{SSL_CLIENT_I_DN_D}s" env=SSL_CLIENT_I_DN_D
RequestHeader set Ssl-Client-I-Dn-Uid "%{SSL_CLIENT_I_DN_UID}s" env=SSL_CLIENT_I_DN_UID
RequestHeader set Ssl-Client-I-Dn-Email "%{SSL_CLIENT_I_DN_Email}s" env=SSL_CLIENT_I_DN_Email
RequestHeader set Ssl-Client-A-Sig "%{SSL_CLIENT_A_SIG}s" env=SSL_CLIENT_A_SIG
RequestHeader set Ssl-Client-A-Key "%{SSL_CLIENT_A_KEY}s" env=SSL_CLIENT_A_KEY
RequestHeader set Ssl-Client-Cert "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
RequestHeader set Ssl-Client-Cert-Chain-N "%{SSL_CLIENT_CERT_CHAIN_n}s" env=SSL_CLIENT_CERT_CHAIN_n
RequestHeader set Ssl-Client-Verify "%{SSL_CLIENT_VERIFY}s" env=SSL_CLIENT_VERIFY
RequestHeader set Ssl-Server-M-Version "%{SSL_SERVER_M_VERSION}s" env=SSL_SERVER_M_VERSION
RequestHeader set Ssl-Server-M-Serial "%{SSL_SERVER_M_SERIAL}s" env=SSL_SERVER_M_SERIAL
RequestHeader set Ssl-Server-V-Start "%{SSL_SERVER_V_START}s" env=SSL_SERVER_V_START
RequestHeader set Ssl-Server-V-End "%{SSL_SERVER_V_END}s" env=SSL_SERVER_V_END
RequestHeader set Ssl-Server-S-Dn "%{SSL_SERVER_S_DN}s" env=SSL_SERVER_S_DN
RequestHeader set Ssl-Server-S-Dn-C "%{SSL_SERVER_S_DN_C}s" env=SSL_SERVER_S_DN_C
RequestHeader set Ssl-Server-S-Dn-St "%{SSL_SERVER_S_DN_ST}s" env=SSL_SERVER_S_DN_ST
RequestHeader set Ssl-Server-S-Dn-L "%{SSL_SERVER_S_DN_L}s" env=SSL_SERVER_S_DN_L
RequestHeader set Ssl-Server-S-Dn-O "%{SSL_SERVER_S_DN_O}s" env=SSL_SERVER_S_DN_O
RequestHeader set Ssl-Server-S-Dn-Ou "%{SSL_SERVER_S_DN_OU}s" env=SSL_SERVER_S_DN_OU
RequestHeader set Ssl-Server-S-Dn-Cn "%{SSL_SERVER_S_DN_CN}s" env=SSL_SERVER_S_DN_CN
RequestHeader set Ssl-Server-S-Dn-T "%{SSL_SERVER_S_DN_T}s" env=SSL_SERVER_S_DN_T
RequestHeader set Ssl-Server-S-Dn-I "%{SSL_SERVER_S_DN_I}s" env=SSL_SERVER_S_DN_I
RequestHeader set Ssl-Server-S-Dn-G "%{SSL_SERVER_S_DN_G}s" env=SSL_SERVER_S_DN_G
RequestHeader set Ssl-Server-S-Dn-S "%{SSL_SERVER_S_DN_S}s" env=SSL_SERVER_S_DN_S
RequestHeader set Ssl-Server-S-Dn-D "%{SSL_SERVER_S_DN_D}s" env=SSL_SERVER_S_DN_D
RequestHeader set Ssl-Server-S-Dn-Uid "%{SSL_SERVER_S_DN_UID}s" env=SSL_SERVER_S_DN_UID
RequestHeader set Ssl-Server-S-Dn-Email "%{SSL_SERVER_S_DN_Email}s" env=SSL_SERVER_S_DN_Email
RequestHeader set Ssl-Server-I-Dn "%{SSL_SERVER_I_DN}s" env=SSL_SERVER_I_DN
RequestHeader set Ssl-Server-I-Dn-C "%{SSL_SERVER_I_DN_C}s" env=SSL_SERVER_I_DN_C
RequestHeader set Ssl-Server-I-Dn-St "%{SSL_SERVER_I_DN_ST}s" env=SSL_SERVER_I_DN_ST
RequestHeader set Ssl-Server-I-Dn-L "%{SSL_SERVER_I_DN_L}s" env=SSL_SERVER_I_DN_L
RequestHeader set Ssl-Server-I-Dn-O "%{SSL_SERVER_I_DN_O}s" env=SSL_SERVER_I_DN_O
RequestHeader set Ssl-Server-I-Dn-Ou "%{SSL_SERVER_I_DN_OU}s" env=SSL_SERVER_I_DN_OU
RequestHeader set Ssl-Server-I-Dn-Cn "%{SSL_SERVER_I_DN_CN}s" env=SSL_SERVER_I_DN_CN
RequestHeader set Ssl-Server-I-Dn-T "%{SSL_SERVER_I_DN_T}s" env=SSL_SERVER_I_DN_T
RequestHeader set Ssl-Server-I-Dn-I "%{SSL_SERVER_I_DN_I}s" env=SSL_SERVER_I_DN_I
RequestHeader set Ssl-Server-I-Dn-G "%{SSL_SERVER_I_DN_G}s" env=SSL_SERVER_I_DN_G
RequestHeader set Ssl-Server-I-Dn-S "%{SSL_SERVER_I_DN_S}s" env=SSL_SERVER_I_DN_S
RequestHeader set Ssl-Server-I-Dn-D "%{SSL_SERVER_I_DN_D}s" env=SSL_SERVER_I_DN_D
RequestHeader set Ssl-Server-I-Dn-Uid "%{SSL_SERVER_I_DN_UID}s" env=SSL_SERVER_I_DN_UID
RequestHeader set Ssl-Server-I-Dn-Email "%{SSL_SERVER_I_DN_Email}s" env=SSL_SERVER_I_DN_Email
RequestHeader set Ssl-Server-A-Sig "%{SSL_SERVER_A_SIG}s" env=SSL_SERVER_A_SIG
RequestHeader set Ssl-Server-A-Key "%{SSL_SERVER_A_KEY}s" env=SSL_SERVER_A_KEY
RequestHeader set Ssl-Server-Cert "%{SSL_SERVER_CERT}s" env=SSL_SERVER_CERT
#############################################
# Weblogic
#############################################
# CLEAN WEBLOGIC HEADERS
RequestHeader unset WL-Proxy-SSL
11
RequestHeader unset WL-Proxy-Client-Cert
RequestHeader unset WL-Proxy-Client-Keysize
RequestHeader unset WL-Proxy-Client-Secretkeysize
RequestHeader unset WL-Proxy-Client-IP
RequestHeader unset X-WebLogic-KeepAliveSecs
RequestHeader unset X-WebLogic-Request-ClusterInfo
RequestHeader unset x-weblogic-cluster-hash
# SET HEADERS FROM ENV FOR WEBLOGIC
RequestHeader set WL-Proxy-SSL "true" env=HTTPS
RequestHeader set WL-Proxy-Client-Keysize "%{SSL_CIPHER_USEKEYSIZE}s" env=HTTPS
RequestHeader set WL-Proxy-Client-Secretkeysize "%{SSL_CIPHER_USEKEYSIZE}s" env=HTTPS
RequestHeader set WL-Proxy-Client-IP "%{REMOTE_ADDR}s"
RequestHeader set Proxy-Client-IP "%{REMOTE_ADDR}s"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RequestHeader set X-WebLogic-KeepAliveSecs "30"
# Set Cert from SSL_CLIENT_CERT env value + clean it for Weblogic (only cert content)
RequestHeader set WL-Proxy-Client-Cert "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert "-----BEGIN CERTIFICATE-----" "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert "-----END CERTIFICATE-----" "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT
EOF
# Default SSLClientVerify path for all the hosts
# defined in file: /etc/apache2-ssloffloader/conf.d/ssl_smartcard_auth_url
cat > /etc/apache2-ssloffloader/conf.d/ssl_smartcard_auth_url <<EOF
# URL for client cert auth - base websites
<Location ~ "auth/smartcard">
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 2
</Location>
# One Java app
<Location ~ "idLogin">
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 2
12
</Location>
EOF
# Forward request to balancer.proxy
# proxy configuration is defined in file: /etc/apache2/mods-enabled/proxy.conf
cat > /etc/apache2-ssloffloader/mods-enabled/proxy.conf <<EOF
<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia Off
# Nessesary that Host: in header would remain intact
ProxyPreserveHost On
ProxyTimeout 6000
</IfModule>
EOF
4.3.2
SSL offloader's informative tasks
# Log requests
# logging is defined in file: /etc/apache2-ssloffloader/conf.d/logging
cat > /etc/apache2-ssloffloader/conf.d/logging <<EOF
LogFormat "%V:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" custom_vhost_combined
ErrorLog "|/usr/bin/logger -p local1.error -t apache2-ssloffloader"
CustomLog "|/usr/bin/logger -p local1.info -t apache2-ssloffloader" custom_vhost_combined
EOF
# Show SSL offloader status
# defined in file: /etc/apache2-ssloffloader/conf.d/serverinfo-status
cat > /etc/apache2-ssloffloader/conf.d/serverinfo-status <<EOF
ExtendedStatus On
<Location /ssloffloader-status>
SetHandler server-status
Order Allow,Deny
Allow from 192.168.252 172.19
</Location>
ProxyPass
EOF
4.3.3
/ssloffloader-status
!
Load balancer's functional task
# Take requests for localhost and port 80
# name based virtualhosts are defined in directory: /etc/apache2-balancer/sites-enabled
# (I'd recommend use filname format: domain.subdomain.subdomain.conf)
13
cat > /etc/apache2-balancer/sites-enabled/ee.example.example.conf <<EOF
<VirtualHost balancer.proxy:80>
ServerName example.example.ee
ServerAlias data.example.ee alias.example.ee
ProxyPass
/
balancer://example.balancer/
</VirtualHost>
EOF
# Create balancers
# configured in directory: /etc/apache2-balancer/balancers
cat > /etc/apache2-balancer/balancers/example.balancer.conf <<EOF
# This is example balancer, you will have to change it later
<Proxy balancer://example.balancer>
BalancerMember http://10.0.6.153:80
BalancerMember http://10.0.6.154:80
</Proxy>
EOF
# Configure proxy
# proxy configured in /etc/apache2-balancer/mods-enabled/proxy.conf
cat > /etc/apache2-balancer/mods-enabled/proxy.conf <<EOF
<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia Off
# Nessesary that Host: in header would remain intact
ProxyPreserveHost On
ProxyTimeout 6000
# FIX: needed so that mod-itk would not exit (same tcpsession different host problem)
# TODO:
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</IfModule>
EOF
4.3.4
Load balancer's informative tasks
# Log requests
# logging is defined in file: /etc/apache2-balancer/conf.d/logging
cat > /etc/apache2-balancer/conf.d/logging <<EOF
LogFormat "%V:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" custom_vhost_combined
ErrorLog "|/usr/bin/logger -p local1.error -t apache2-balancer"
CustomLog "|/usr/bin/logger -p local1.info -t apache2-balancer" custom_vhost_combined
EOF
# Show load balancer status
# defined in file: /etc/apache2­balancer/conf.d/balancer­status
14
cat > /etc/apache2­balancer/conf.d/balancer­status <<EOF
ExtendedStatus On <Location /balancer­status> SetHandler server­status Order Allow,Deny Allow from 192.168.252 172.19 </Location> ProxyPass /balancer­status ! EOF
# Show and let admin to configure balancers
# defined in file: /etc/apache2-balancer/conf.d/balancer-manager
cat > /etc/apache2-balancer/conf.d/balancer-manager <<EOF
# Show LB balancer status
<Location /balancer-manager>
SetHandler balancer-manager
Order Allow,Deny
Allow from 192.168.252 172.19
</Location>
ProxyPass
EOF
4.4
/balancer-manager
!
Confirm that everything is working
1.
2.
3.
4.
5.
6.
4.5
Reboot
netstat -penat | egrep 443|80
http://server/ssloffloader-status
http://server/balancer-status
http://server/balancer-manager
Configure additional hosts as needed
Configuration procedure examples
4.5.1
Add new backend servers, and domain to be SSL offloaded and load balanced.
1.)
•
Choices
Different IP-s and 443 port for new SSL host (you have to add new IP to server,
configure Listen for new IP, both 80 and 443)
•
Same IP-s, but different port for SSL host
2.)
Steps
1. Only if you need a new VirtualHost with different certificate for that domain: define
new SSL VirtualHost in file: /etc/apache2-ssloffloader/sitesenabled/com.anotherdomain.subdomain.conf from what ProxyPass to balancer.proxy
2. If the balancer is not defined: define new balancer for “anotherwebservers.subnet.kit”
server group in file: /etc/apache2balancer/balancers/kit.subnet.anotherwebservers.conf
15
3. Create new named VirtualHost for “subdomain.anotherdomain.com” in file:
/etc/apache2-balancer/sites-enabled/com.anotherdomain.subdomain.conf
3.)
Configure
# Create another virtualhost for new domain and certificate
cat > /etc/apache2-ssloffloader/sites-enabled/com.anotherdomain.subdomain.conf <<EOF
Listen ssloffloader.proxy:444
<VirtualHost ssloffloader.proxy:444>
ProxyPass / http://balancer.proxy/
# + Certificates
SSLEngine on
SSLCertificateFile /etc/certificates-apache2/sites/subdomain.anotherdomain.com.crt
SSLCertificateKeyFile /etc/certificates-apache2/sites/subdomain.anotherdomain.com.key
SSLCertificateChainFile /etc/certificates-apache2/sites/juur-thawte.crt
SSLCACertificateFile /etc/certificates-apache2/ssl.crt/id.crt
</VirtualHost>
EOF
# Create new balancer://
cat > /etc/apache2-balancer/balancers/kit.subnet.anotherwebservers.conf <<EOF
<Proxy balancer://kit.subnet.anotherwebserver>
BalancerMember http://10.0.6.201:80
BalancerMember http://10.0.6.202:80
</Proxy>
EOF
# Create new balancer
cat > /etc/apache2-balancer/sites-enabled/com.anotherdomain.subdomain.conf <<EOF
<VirtualHost balancer.proxy:80>
ServerName subdomain.anotherdomain.com
ProxyPass
/
balancer://kit.subnet.anotherwebserver/
</VirtualHost>
EOF
4.)
Testing
1. Change your hosts file and make usual HTTP(S) request (or telnet server 80\n GET /
HTTP/1.0\n Host: subdomain.anotherdomain.com)
4.5.2
1.)
Add a new VirtualHost with sticky-sessions controlled in Load Balancer (can be used
for Apache2, Tomcat, Jboss and Weblogic backends.)
Steps
1. Do as in step 4.5.1 Add new backend servers, and domain to be SSL offloaded and
load balanced. but create different balancer.
2. Create proxy balancer and set route_id's for nodes.
3. Enable mod_headers, if not enabled, and set stickysession name + create rule for
adding cookie with that name and route_id, if it changes. (Route_id is taken from
stickysession_name=sometext.this_value_is_taken. )
16
2.)
Configuration
cat > /etc/apache2-balancer/balancers/kit.subnet.weblogic-app-servers__application.conf <<EOF
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" \
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://kit.subnet.weblogic-app-servers__application>
BalancerMember http://10.0.6.136:7010 route=1
BalancerMember http://10.0.6.136:7010 route=2
ProxySet stickysession=ROUTEID
</Proxy>
EOF
3.)
Testing
1. Order of getting correct routeid from stickysession_name is: 1.) from URL, 2.) from
cookie. That means that you can test solution by going: http://server/?
ROUTEID=.change_id_to_test and see results from https://server/balancer-manager
and https://server/balancer-status
4.5.3
Multiply SSL offloaders and balancers for high availability (active-active mode)
1. You need to have atleast to or more servers running, with same “SSL offloader and
balancer” configuration + boot scripts.
2. Steps to do: do install steps + copy contents of /etc/apache2-ssloffloader/sites-enabled,
/etc/apache2-balancer/balancers and /etc/apache2-balancer/sites-enabled
3. If you have followed logic described in this manual, you only have to change
“ssloffloader.proxy” in /etc/hosts for correct IP.
4.6
Upgrading
4.6.1
OS
Uprading from Debian Squeeze or Ubuntu Maverick to newer should be without
complications and additional steps. It will be tested, and if needed, additional steps will be
added to here.
4.6.2
SSL offloader and Load balancer concept implementation
1. Backup (4.7.1 Backup)
2. Do install steps by this document's manual (4.2 Install)
4.7
Backup and restore
4.7.1
Backup
/etc/*apache2* (apache2-ssloffloader, apache2-balancer, certificates-apache2) must be backed
up regularly.
4.7.2
Restore
Install steps + copy apache2-ssloffloader, apache2-balancer and certificates-apache2 back
up /etc folder.
17
5.
Backend server configuration
5.1
Apache2
1.)
Description of steps
1. Install mod_rpaf (so correct env values for client IP are set)
2. From headers set env values
2.)
Steps
# Additional nessesary install
apt-get install libapache2-mod-rpaf
# Enable nessesary modules
a2enmod headers rpaf
# Configure mod_rpaf – so correct REMOTE_ADDRESS is set
# Edit /etc/apache2/mods-enabled/rpaf.conf (Read more: http://stderr.net/apache/rpaf/)
RPAFproxy_ips WRITE_BALANCER_PRIMARY_INTERNFACE_IP_HERE
# Create SSL env values from HTTP headers
#
# Only from SSL offloader and balancer should be requests allowed, or major security problem (For example, some client
sends SSL_CLIENT_CERTIFICATE header and its not cleaned)
cat > /etc/apache2/conf.d/ssl_env_values_from_headers <<EOF
SetEnvIf Https "(..*)" HTTPS=\$1
SetEnvIf Ssl-Protocol "(..*)" SSL_PROTOCOL=\$1
SetEnvIf Ssl-Session-Id "(..*)" SSL_SESSION_ID=\$1
SetEnvIf Ssl-Cipher "(..*)" SSL_CIPHER=\$1
SetEnvIf Ssl-Cipher-Export "(..*)" SSL_CIPHER_EXPORT=\$1
SetEnvIf Ssl-Cipher-Algkeysize "(..*)" SSL_CIPHER_ALGKEYSIZE=\$1
SetEnvIf Ssl-Cipher-Usekeysize "(..*)" SSL_CIPHER_USEKEYSIZE=\$1
SetEnvIf Ssl-Version-Library "(..*)" SSL_VERSION_LIBRARY=\$1
SetEnvIf Ssl-Version-Interface "(..*)" SSL_VERSION_INTERFACE=\$1
SetEnvIf Ssl-Client-M-Version "(..*)" SSL_CLIENT_M_VERSION=\$1
SetEnvIf Ssl-Client-M-Serial "(..*)" SSL_CLIENT_M_SERIAL=\$1
SetEnvIf Ssl-Client-V-Start "(..*)" SSL_CLIENT_V_START=\$1
SetEnvIf Ssl-Client-V-End "(..*)" SSL_CLIENT_V_END=\$1
SetEnvIf Ssl-Client-S-Dn "(..*)" SSL_CLIENT_S_DN=\$1
SetEnvIf Ssl-Client-S-Dn-C "(..*)" SSL_CLIENT_S_DN_C=\$1
SetEnvIf Ssl-Client-S-Dn-St "(..*)" SSL_CLIENT_S_DN_ST=\$1
SetEnvIf Ssl-Client-S-Dn-L "(..*)" SSL_CLIENT_S_DN_L=\$1
SetEnvIf Ssl-Client-S-Dn-O "(..*)" SSL_CLIENT_S_DN_O=\$1
SetEnvIf Ssl-Client-S-Dn-Ou "(..*)" SSL_CLIENT_S_DN_OU=\$1
SetEnvIf Ssl-Client-S-Dn-Cn "(..*)" SSL_CLIENT_S_DN_CN=\$1
SetEnvIf Ssl-Client-S-Dn-T "(..*)" SSL_CLIENT_S_DN_T=\$1
SetEnvIf Ssl-Client-S-Dn-I "(..*)" SSL_CLIENT_S_DN_I=\$1
SetEnvIf Ssl-Client-S-Dn-G "(..*)" SSL_CLIENT_S_DN_G=\$1
SetEnvIf Ssl-Client-S-Dn-S "(..*)" SSL_CLIENT_S_DN_S=\$1
SetEnvIf Ssl-Client-S-Dn-D "(..*)" SSL_CLIENT_S_DN_D=\$1
SetEnvIf Ssl-Client-S-Dn-Uid "(..*)" SSL_CLIENT_S_DN_UID=\$1
18
SetEnvIf Ssl-Client-S-Dn-Email "(..*)" SSL_CLIENT_S_DN_Email=\$1
SetEnvIf Ssl-Client-I-Dn "(..*)" SSL_CLIENT_I_DN=\$1
SetEnvIf Ssl-Client-I-Dn-C "(..*)" SSL_CLIENT_I_DN_C=\$1
SetEnvIf Ssl-Client-I-Dn-St "(..*)" SSL_CLIENT_I_DN_ST=\$1
SetEnvIf Ssl-Client-I-Dn-L "(..*)" SSL_CLIENT_I_DN_L=\$1
SetEnvIf Ssl-Client-I-Dn-O "(..*)" SSL_CLIENT_I_DN_O=\$1
SetEnvIf Ssl-Client-I-Dn-Ou "(..*)" SSL_CLIENT_I_DN_OU=\$1
SetEnvIf Ssl-Client-I-Dn-Cn "(..*)" SSL_CLIENT_I_DN_CN=\$1
SetEnvIf Ssl-Client-I-Dn-T "(..*)" SSL_CLIENT_I_DN_T=\$1
SetEnvIf Ssl-Client-I-Dn-I "(..*)" SSL_CLIENT_I_DN_I=\$1
SetEnvIf Ssl-Client-I-Dn-G "(..*)" SSL_CLIENT_I_DN_G=\$1
SetEnvIf Ssl-Client-I-Dn-S "(..*)" SSL_CLIENT_I_DN_S=\$1
SetEnvIf Ssl-Client-I-Dn-D "(..*)" SSL_CLIENT_I_DN_D=\$1
SetEnvIf Ssl-Client-I-Dn-Uid "(..*)" SSL_CLIENT_I_DN_UID=\$1
SetEnvIf Ssl-Client-I-Dn-Email "(..*)" SSL_CLIENT_I_DN_Email=\$1
SetEnvIf Ssl-Client-A-Sig "(..*)" SSL_CLIENT_A_SIG=\$1
SetEnvIf Ssl-Client-A-Key "(..*)" SSL_CLIENT_A_KEY=\$1
SetEnvIf Ssl-Client-Cert "(..*)" SSL_CLIENT_CERT=\$1
SetEnvIf Ssl-Client-Cert-Chain-N "(..*)" SSL_CLIENT_CERT_CHAIN_n=\$1
SetEnvIf Ssl-Client-Verify "(..*)" SSL_CLIENT_VERIFY=\$1
SetEnvIf Ssl-Server-M-Version "(..*)" SSL_SERVER_M_VERSION=\$1
SetEnvIf Ssl-Server-M-Serial "(..*)" SSL_SERVER_M_SERIAL=\$1
SetEnvIf Ssl-Server-V-Start "(..*)" SSL_SERVER_V_START=\$1
SetEnvIf Ssl-Server-V-End "(..*)" SSL_SERVER_V_END=\$1
SetEnvIf Ssl-Server-S-Dn "(..*)" SSL_SERVER_S_DN=\$1
SetEnvIf Ssl-Server-S-Dn-C "(..*)" SSL_SERVER_S_DN_C=\$1
SetEnvIf Ssl-Server-S-Dn-St "(..*)" SSL_SERVER_S_DN_ST=\$1
SetEnvIf Ssl-Server-S-Dn-L "(..*)" SSL_SERVER_S_DN_L=\$1
SetEnvIf Ssl-Server-S-Dn-O "(..*)" SSL_SERVER_S_DN_O=\$1
SetEnvIf Ssl-Server-S-Dn-Ou "(..*)" SSL_SERVER_S_DN_OU=\$1
SetEnvIf Ssl-Server-S-Dn-Cn "(..*)" SSL_SERVER_S_DN_CN=\$1
SetEnvIf Ssl-Server-S-Dn-T "(..*)" SSL_SERVER_S_DN_T=\$1
SetEnvIf Ssl-Server-S-Dn-I "(..*)" SSL_SERVER_S_DN_I=\$1
SetEnvIf Ssl-Server-S-Dn-G "(..*)" SSL_SERVER_S_DN_G=\$1
SetEnvIf Ssl-Server-S-Dn-S "(..*)" SSL_SERVER_S_DN_S=\$1
SetEnvIf Ssl-Server-S-Dn-D "(..*)" SSL_SERVER_S_DN_D=\$1
SetEnvIf Ssl-Server-S-Dn-Uid "(..*)" SSL_SERVER_S_DN_UID=\$1
SetEnvIf Ssl-Server-S-Dn-Email "(..*)" SSL_SERVER_S_DN_Email=\$1
SetEnvIf Ssl-Server-I-Dn "(..*)" SSL_SERVER_I_DN=\$1
SetEnvIf Ssl-Server-I-Dn-C "(..*)" SSL_SERVER_I_DN_C=\$1
SetEnvIf Ssl-Server-I-Dn-St "(..*)" SSL_SERVER_I_DN_ST=\$1
SetEnvIf Ssl-Server-I-Dn-L "(..*)" SSL_SERVER_I_DN_L=\$1
SetEnvIf Ssl-Server-I-Dn-O "(..*)" SSL_SERVER_I_DN_O=\$1
SetEnvIf Ssl-Server-I-Dn-Ou "(..*)" SSL_SERVER_I_DN_OU=\$1
SetEnvIf Ssl-Server-I-Dn-Cn "(..*)" SSL_SERVER_I_DN_CN=\$1
SetEnvIf Ssl-Server-I-Dn-T "(..*)" SSL_SERVER_I_DN_T=\$1
SetEnvIf Ssl-Server-I-Dn-I "(..*)" SSL_SERVER_I_DN_I=\$1
SetEnvIf Ssl-Server-I-Dn-G "(..*)" SSL_SERVER_I_DN_G=\$1
SetEnvIf Ssl-Server-I-Dn-S "(..*)" SSL_SERVER_I_DN_S=\$1
SetEnvIf Ssl-Server-I-Dn-D "(..*)" SSL_SERVER_I_DN_D=\$1
SetEnvIf Ssl-Server-I-Dn-Uid "(..*)" SSL_SERVER_I_DN_UID=\$1
SetEnvIf Ssl-Server-I-Dn-Email "(..*)" SSL_SERVER_I_DN_Email=\$1
SetEnvIf Ssl-Server-A-Sig "(..*)" SSL_SERVER_A_SIG=\$1
SetEnvIf Ssl-Server-A-Key "(..*)" SSL_SERVER_A_KEY=\$1
SetEnvIf Ssl-Server-Cert "(..*)" SSL_SERVER_CERT=\$1
# RequestHeader unset Https
RequestHeader unset Ssl-Protocol
RequestHeader unset Ssl-Session-Id
RequestHeader unset Ssl-Cipher
RequestHeader unset Ssl-Cipher-Export
RequestHeader unset Ssl-Cipher-Algkeysize
19
RequestHeader unset Ssl-Cipher-Usekeysize
RequestHeader unset Ssl-Version-Library
RequestHeader unset Ssl-Version-Interface
RequestHeader unset Ssl-Client-M-Version
RequestHeader unset Ssl-Client-M-Serial
RequestHeader unset Ssl-Client-V-Start
RequestHeader unset Ssl-Client-V-End
RequestHeader unset Ssl-Client-S-Dn
RequestHeader unset Ssl-Client-S-Dn-C
RequestHeader unset Ssl-Client-S-Dn-St
RequestHeader unset Ssl-Client-S-Dn-L
RequestHeader unset Ssl-Client-S-Dn-O
RequestHeader unset Ssl-Client-S-Dn-Ou
RequestHeader unset Ssl-Client-S-Dn-Cn
RequestHeader unset Ssl-Client-S-Dn-T
RequestHeader unset Ssl-Client-S-Dn-I
RequestHeader unset Ssl-Client-S-Dn-G
RequestHeader unset Ssl-Client-S-Dn-S
RequestHeader unset Ssl-Client-S-Dn-D
RequestHeader unset Ssl-Client-S-Dn-Uid
RequestHeader unset Ssl-Client-S-Dn-Email
RequestHeader unset Ssl-Client-I-Dn
RequestHeader unset Ssl-Client-I-Dn-C
RequestHeader unset Ssl-Client-I-Dn-St
RequestHeader unset Ssl-Client-I-Dn-L
RequestHeader unset Ssl-Client-I-Dn-O
RequestHeader unset Ssl-Client-I-Dn-Ou
RequestHeader unset Ssl-Client-I-Dn-Cn
RequestHeader unset Ssl-Client-I-Dn-T
RequestHeader unset Ssl-Client-I-Dn-I
RequestHeader unset Ssl-Client-I-Dn-G
RequestHeader unset Ssl-Client-I-Dn-S
RequestHeader unset Ssl-Client-I-Dn-D
RequestHeader unset Ssl-Client-I-Dn-Uid
RequestHeader unset Ssl-Client-I-Dn-Email
RequestHeader unset Ssl-Client-A-Sig
RequestHeader unset Ssl-Client-A-Key
RequestHeader unset Ssl-Client-Cert
RequestHeader unset Ssl-Client-Cert-Chain-N
RequestHeader unset Ssl-Client-Verify
RequestHeader unset Ssl-Server-M-Version
RequestHeader unset Ssl-Server-M-Serial
RequestHeader unset Ssl-Server-V-Start
RequestHeader unset Ssl-Server-V-End
RequestHeader unset Ssl-Server-S-Dn
RequestHeader unset Ssl-Server-S-Dn-C
RequestHeader unset Ssl-Server-S-Dn-St
RequestHeader unset Ssl-Server-S-Dn-L
RequestHeader unset Ssl-Server-S-Dn-O
RequestHeader unset Ssl-Server-S-Dn-Ou
RequestHeader unset Ssl-Server-S-Dn-Cn
RequestHeader unset Ssl-Server-S-Dn-T
RequestHeader unset Ssl-Server-S-Dn-I
RequestHeader unset Ssl-Server-S-Dn-G
RequestHeader unset Ssl-Server-S-Dn-S
RequestHeader unset Ssl-Server-S-Dn-D
RequestHeader unset Ssl-Server-S-Dn-Uid
RequestHeader unset Ssl-Server-S-Dn-Email
RequestHeader unset Ssl-Server-I-Dn
RequestHeader unset Ssl-Server-I-Dn-C
RequestHeader unset Ssl-Server-I-Dn-St
RequestHeader unset Ssl-Server-I-Dn-L
20
RequestHeader unset Ssl-Server-I-Dn-O
RequestHeader unset Ssl-Server-I-Dn-Ou
RequestHeader unset Ssl-Server-I-Dn-Cn
RequestHeader unset Ssl-Server-I-Dn-T
RequestHeader unset Ssl-Server-I-Dn-I
RequestHeader unset Ssl-Server-I-Dn-G
RequestHeader unset Ssl-Server-I-Dn-S
RequestHeader unset Ssl-Server-I-Dn-D
RequestHeader unset Ssl-Server-I-Dn-Uid
RequestHeader unset Ssl-Server-I-Dn-Email
RequestHeader unset Ssl-Server-A-Sig
RequestHeader unset Ssl-Server-A-Key
RequestHeader unset Ssl-Server-Cert
EOF
5.2
Weblogic
Configuration for the Weblogic is the same as you would be using mod_weblogic or F5, you
have to set checkbox in Weblogic Console to Client Cert Proxy Enabled, or in deployment's
weblogic.xml enable tag client-cert-proxy-enabled.
•
•
5.3
http://www.google.com/search?q=Client+Cert+Proxy+Enabled+weblogic
http://www.google.com/search?q=client-cert-proxy-enabled
Jboss, Tomcat
If SSLoffloader is configured correctly, no additional configuration in Tomcat or Jboss is
needed.
21
6.
6.1
Configuration recommendations/notes
Apache
1. Keep in mind, that Apache2 configuration is read linearly. (If you first do ProxyPass
and then set some headers or do some cheks, user will be already at proxyed.)
2. In configurations don't use RewriteRule /something /otherthing [QSA,P] or the
webserver will make queries to its DNS resolve, but use [QSA,PT] (passthrough, not
proxy) – also using P flag is security hole through what your internal or other websites
can be attacked (it acts as anonymous proxy).
6.2
Loadbalancing
1. Use sticky sessions if you are not certain, that your applications fully and correctly
support fail over – if one server should die, then only users from that server are
directed to other server. (See also: 4.5.2Add a new VirtualHost with sticky-sessions
controlled in Load Balancer (can be used for Apache2, Tomcat, Jboss and Weblogic
backends.))
2. If your backendserver uses mod-itk (or for some other reason) can't handle multiple
requests in same TCP session to different virtualhosts, use session terminating for that
host. (http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass search:
“disablereuse”)
22
7.
Known problems
•
Currently in multiline texts newlines are replaced with spaces in mod_headers,
because of that SSL_*_CERT will not work. It's expected behavior, because HTTP
headers must be one liners. Its possible to fix the problem by using RewriteMap and
external program, when setting Apache env value in backend server. It is possible to
use SSL_CLIENT_S_DN instead.
23
8.
Links
1. http://httpd.apache.org/docs/current/mod/mod_proxy.html
2. http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html
3. http://httpd.apache.org/docs/current/mod/worker.html
24
9.
9.1
Appendix
How SSL offload is configured usually and how with this
solution
9.1.1
Common configuration's example
TODO
9.1.2
This solution's example
TODO
9.2
Short comparison between mod_weblogic and mod_balancer
stickyness and fail over
9.2.1
Mod_weblogic
(The common use case) to user is sent cookie, SESSIONNAME=RANDOMID!
primary_servers_id!secondary_servers_id from Weblogic server (backend server has to do its
own session replication); if user makes a new request, mod_weblogic gets the value of
primary server from the cookie, checks if it works; if not as fallback secondary is used.
See also: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/plugins/apache.html
9.2.2
Mod_balancer
Route id for route is set in balancer:// definition, from
SESSIONNAME=RANDOMID.route_id prefered route is got, if route does not answer, next
is chosen. Usually route_id is set from backend server, but its also possible to set it from load
balancer (see: 4.5.2Add a new VirtualHost with sticky-sessions controlled in Load Balancer
(can be used for Apache2, Tomcat, Jboss and Weblogic backends.))
9.3
Helpful commands
man apache2 # :)
apache2 -V # show version with compile parameters (google for Apache2 MPM, prefork vs worker and itk)
9.4
Helpful tuning directives
Read:
1. http://httpd.apache.org/docs/current/mod/worker.html
2. http://httpd.apache.org/docs/current/mod/mpm_common.html
9.5
Helpful security directives
Read:
1. http://httpd.apache.org/docs/current/misc/security_tips.html
25
9.6
How to create necessary headers setting file in ruby
Note:
•
This is only for Apache, Jboss and Tomcat, and not for Weblogic.
Description:
1. From http://httpd.apache.org/docs/current/mod/mod_ssl.html find (SSL-related
variables:) and create env.txt. On each line should be one environment value.
2. In SSL offloader config: Replace all with “Header unset Header-Name”,
'RequestHeader set Ssl-Env-Name "%{SSL_ENV_NAME}s"
env=SSL_ENV_NAME' ,
(http://httpd.apache.org/docs/current/mod/mod_headers.html)
3. In Backend server config: (see: 5Backend server configuration)
Steps:
# UNSET HEADERS (ssloffloader)
print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-');
"RequestHeader unset " + header}.join("\n")
# SET HEADERS (ssloffloader)
print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-');
"RequestHeader set "+header+" \"%{"+env+"}s\" env="+env }.join("\n")
# SET ENV VALUES FROM HEADERS (backend server)
print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-'); "SetEnvIf
#{header} \"(..*)\" #{env}=\\$1" }.join("\n")
# UNSET HEADERS (backend server) (we don't need them any more)
print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-');
"RequestHeader unset " + header}.join("\n")
26