Concept about how to SSL offload and load balance with... Version: 2011.02.18-06 Author: Margus Pärt
Transcription
Concept about how to SSL offload and load balance with... Version: 2011.02.18-06 Author: Margus Pärt
Concept about how to SSL offload and load balance with Apache2 Version: 2011.02.18-06 Author: Margus Pärt 1. About this document...............................................................................................................2 2. Description of the idea............................................................................................................3 3. Why to use this solution..........................................................................................................4 3.1 Upsides.............................................................................................................................4 3.2 Downsides........................................................................................................................4 4. SSL offloader and Load balancer............................................................................................5 4.1 Description of tasks..........................................................................................................5 4.2 Install................................................................................................................................6 4.3 Base configuration............................................................................................................8 4.4 Confirm that everything is working...............................................................................15 4.5 Configuration procedure examples................................................................................15 4.6 Upgrading.......................................................................................................................17 4.7 Backup and restore.........................................................................................................17 5. Backend server configuration...............................................................................................19 5.1 Apache2..........................................................................................................................19 5.2 Weblogic.........................................................................................................................22 5.3 Jboss, Tomcat.................................................................................................................22 6. Configuration recommendations/notes.................................................................................23 6.1 Apache............................................................................................................................23 6.2 Loadbalancing................................................................................................................23 7. Known problems...................................................................................................................24 8. Links......................................................................................................................................25 9. Appendix...............................................................................................................................26 9.1 How SSL offload is configured usually and how with this solution..............................26 9.2 Short comparison between mod_weblogic and mod_balancer stickyness and fail over ..............................................................................................................................................26 9.3 Helpful commands.........................................................................................................26 9.4 Helpful tuning directives................................................................................................26 9.5 Helpful security directives..............................................................................................26 9.6 How to create necessary headers setting file in ruby.....................................................27 1. About this document Newest version is always kept in: https://apache2-ssloffload-andloadbalance.googlecode.com/svn/trunk/Documentation/ (.odt and .pdf files). Concept described in this document can be used on every OS, copy-paste to Bash is tested to work on Ubuntu Maverick (10.10) and Debian Squeeze (6). This solution's copy-paste to bash does not work with previous Debian (Lenny), because there is no support for APACHE_CONFDIR. This document covers SSL offloading and balancing concept + step-by-step manual, how to implement it. This document does not cover, how to secure Apache2 (conf.d/security, mod_security etc) or explanations for directives used – please use http://httpd.apache.org/docs/current/ Version history: What When Who Changed header names from 2011.02.18-06 SSL_CLIENT_S_DN to Ssl-Client-S-Dn etc, because its more conventional and now Tomcat, what uses Ssl-Client-Verify and Ssl-Client-S-Dn, is supported for the backend by default. http://www.ietf.org/rfc/rfc2047.txt Added “Multiply SSL offloaders and balancers for high availability (active-active mode)” 2011.02.10-0.5 In configs some of the variables ($) were not escaped. 2011.02.10-0.4 Added image to description. 2011.02.07-0.3 Added “About this document” and “Upgrade steps”. 2011.02.06-0.2 Initial. 2011.02.06-0.1 Margus Pärt 2 2. Description of the idea SSL offload and balancing. Not to repeat configuration so much, also to make logic more separated, one Apache2 binary is ran with two different configurations: • SSL offloader (In folder: /etc/apache2-ssloffloader) (It takes also HTTP requests from user) • Load balancer (In folder: /etc/apache2-balancer) Listen addresses: • SSL offloader listens at external IP • Load balancer listens at 127.0.0.1, only SSL offloader can send request to this address Requests path steps (abstract example, there are more variables and headers involved): 1. Client opens connection to 80 or 443, sends HTTP request: “GET /something HTTP/1.0 \n Host: www.example.ee \n SSL_HEADER: h2xx” 2. SSL offloader deletes SSL_HEADER and sets a new one from Apache2 env variable named SSL_HEADER, adds client info, and with ProxyPass sends request to Load balancer: “GET /something HTTP/1.0 \n Host: www.example.ee \n SSL_HEADER: fixed \n X-Forwarded-For: 123.231.123.231” 3. Load balancer sends request to correct backend server 4. Backend server (response to requests) 5. .. and reverse way through the chain back to the client 3 3. Why to use this solution 3.1 Upsides 3.1.1 You don't have to repeat configuration in both 443 or 80 1.) Common For example, if I want to have RewriteRule from / to /otherurl using ordinary configuration, I have to define this rule both in :443 and :80 configuration. And the same for all the rules. (Using Apache's Include directive for common directives would be alternative, but then you would have 3 files (HTTPS, HTTP and file to be included in both configurations.) 2.) This solution Although I have to create: • SSL offloader Virtualhost • balancer:// definition • balancer Virtualhost (also 3 files), they are more logically separated and can be refactored more easily. 3.1.2 You can have multiple different domains behind one wilcard certificate Virtualho st (only one IP and port will be used) 1.) Common Even if I am using SNI, different Virtualhosts for different domains in different backend server, have to be created. 2.) This solution One wildcard certificate can be used for different backend servers. 3.2 Downsides 3.2.1 Logic differs from conventional Apache2 1.) Common One Apache binary is ran with config from /etc/apache2. 2.) This solution Two apache proccesses will be running with config from /etc/apache2-ssloffloader and /etc/apache2-balancer. 4 4. SSL offloader and Load balancer 4.1 Description of tasks 4.1.1 SSL offloader's functional tasks 1. Take requests on ports 80 and 443 from clients, SSL VirtualHosts need to be defined in directory: /etc/apache2-ssloffloader/sites-enabled, certificates are kept in directory: /etc/certificates-apache2. 2. Clean headers from client sent data (unset SSL_CLIENT_CERT etc); set correct headers for backend server from env values, so backend server knows if client is authenticated. Setting headers for backend server is done in file: /etc/apache2ssloffloader/conf.d/ssl_offload_headers 3. Default SSLVerifyClient URL-s for all the hosts is defined in file: /etc/apache2ssloffloader/conf.d/ssl_smartcard_auth_url 4. Forward request to balancer.proxy, proxy configuration is defined in file: /etc/apache2ssloffloader/mods-enabled/proxy.conf and ProxyPass has to be done in VirtualHost definition for SSL offloader file: /etc/apache2-ssloffloader/sitesenabled/name.of.site.conf 4.1.2 SSL offloader's informative tasks 1. Log requests, logging is defined in file: /etc/apache2-ssloffloader/conf.d/logging 2. Show server status at http://server/ssloffloader-status, defined in file: /etc/apache2ssloffloader/conf.d/serverinfo-status 4.1.3 Load balancer's functional tasks 1. Take requests for port 80, name based virtualhosts are defined in directory: /etc/apache2-balancer/sites-enabled (I'd recommend use filname format: domain.subdomain.subdomain.conf) 2. Proxy requests for correct backend node, using balancers configured in directory: /etc/apache2-balancer/balancers and proxy configured in /etc/apache2-balancer/modsenabled/proxy.conf 4.1.4 Load balancer's informative tasks 1. Log requests, logging is defined in file: /etc/apache2-balancer/conf.d/logging 2. Show server status at http://server/balancer-status, defined in file: /etc/apache2balancer/conf.d/serverinfo-status 3. Show and let configure balancers at http://server/balancer-manager, defined in file: /etc/apache2-balancer/conf.d/serverinfo-balancermanager 5 4.1.5 Backend server/application's functional tasks 1. Receive request and understand if user has done smartcard authentication: for apache: /etc/apache2/conf.d/ssl_env_values_from_headers, for weblogic (Client Cert Proxy Enabled in Console, or “<client-cert-proxy-enabled>” in web.xml) 2. Response 4.2 Install 4.2.1 Preconditions 1. Clean install of Debian, no changes to Apache default configuration files. 4.2.2 Debian Packages # Install Apache2 apt-get install apache2 libapache2-mod-rpaf 4.2.3 Create base (create two different Apache configurations for one binary) # Please set correct env value for external IP LB_EXTERNAL_IP='192.168.0.9' LB_INTERNAL_IP='127.0.0.1' # Create host file for our needs (So we can duplicate configurations to other servers, without changing them.) echo $LB_EXTERNAL_IP ssloffloader.proxy >> /etc/hosts echo $LB_INTERNAL_IP balancer.proxy >> /etc/hosts # Remove unnessesary VirtualHosts rm -rf /etc/apache2/sites-enabled/* /etc/apache2/sites-available/* # Copy (or create) nessesary structure cp -a /etc/apache2 /etc/apache2-ssloffloader cp -a /etc/default/apache2 /etc/default/apache2-ssloffloader cp -a /var/log/apache2 /var/log/apache2-ssloffloader cp -a /etc/apache2 /etc/apache2-balancer cp -a /etc/default/apache2 /etc/default/apache2-balancer cp -a /var/log/apache2 /var/log/apache2-balancer mkdir -p /etc/apache2-balancer/balancers # Close and disable default Apache2 configuration /etc/init.d/apache2 stop update-rc.d apache2 remove chmod 000 /etc/apache2 # Create startup script for apache2-ssloffloader cat > /etc/init.d/apache2-ssloffloader <<EOF #!/bin/sh 6 ### BEGIN INIT INFO # Provides: apache2-ssloffloader # Required-Start: \$local_fs \$remote_fs \$network \$syslog \$named # Required-Stop: \$local_fs \$remote_fs \$network \$syslog \$named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop apache2-ssloffloader web server ### END INIT INFO APACHE_CONFDIR='/etc/apache2-ssloffloader' /etc/init.d/apache2 \$1 EOF chmod 755 /etc/init.d/apache2-ssloffloader # Create startup script for apache2-balancer cat > /etc/init.d/apache2-balancer <<EOF #!/bin/sh ### BEGIN INIT INFO # Provides: apache2-balancer # Required-Start: \$local_fs \$remote_fs \$network \$syslog \$named # Required-Stop: \$local_fs \$remote_fs \$network \$syslog \$named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop apache2-balancer web server ### END INIT INFO APACHE_CONFDIR='/etc/apache2-balancer' /etc/init.d/apache2 \$1 EOF chmod 755 /etc/init.d/apache2-balancer # Set external interface IP for SSL offloader (its for external connections, both SSL and HTTP are supported) cat > /etc/apache2-ssloffloader/ports.conf <EOF NameVirtualHost *:80 Listen ssloffloader.proxy:80 <IfModule mod_ssl.c> Listen ssloffloader.proxy:443 </IfModule> <IfModule mod_gnutls.c> Listen ssloffloader.proxy:443 </IfModule> EOF # Set internal interface listening for balancer to lo (localhost) cat > /etc/apache2-balancer/ports.conf <EOF NameVirtualHost balancer.proxy:80 Listen balancer.proxy:80 EOF # Set default DocumentRoots echo DocumentRoot /var/www > /etc/apache2-ssloffloader/conf.d/documentroot echo DocumentRoot /var/www > /etc/apache2-balancer/conf.d/documentroot # Enable/disable nessesary modules APACHE_CONFDIR='/etc/apache2-ssloffloader' a2enmod proxy proxy_connect proxy_http rewrite headers ssl APACHE_CONFDIR='/etc/apache2-balancer' a2enmod proxy proxy_connect proxy_http rewrite headers proxy_balancer 7 rpaf APACHE_CONFDIR='/etc/apache2-ssloffloader' a2dismod rpaf # Create directory for internal balancers and do that content of this folder is loaded mkdir -p /etc/apache2-balancer/balancers echo Include /etc/apache2-balancer/balancers/*conf > /etc/apache2-balancer/conf.d/include_balancers # Set automatic start after reboot update-rc.d apache2-ssloffloader defaults update-rc.d apache2-balancer defaults # Restart both services. In result you have two different Apache configuration on different IP-s running. /etc/init.d/apache2-ssloffloader restart /etc/init.d/apache2-balancer restart # Check that processes are working (if you got some certificate error, you have to create certificates) ps aux | grep apache2 4.3 Base configuration 4.3.1 SSL offloader's functional tasks # Take requests for both 80 and 443 directly from client # SSL VirtualHosts need to be defined in directory: /etc/apache2-ssloffloader/sites-enabled, certificates are # kept in directory: /etc/certificates-apache2 cat > /etc/apache2-ssloffloader/sites-enabled/proxy.balancer.conf <<EOF <VirtualHost *:80> ProxyPass / http://balancer.proxy/ </VirtualHost> EOF cat > /etc/apache2-ssloffloader/sites-enabled/ee.example.wildcard.conf <<EOF <VirtualHost ssloffloader.proxy:443> ProxyPass / http://balancer.proxy/ # + Certificates SSLEngine on SSLCertificateFile /etc/certificates-apache2/sites/wildcard.example.ee.crt SSLCertificateKeyFile /etc/certificates-apache2/sites/wildcard.example.ee.key SSLCertificateChainFile /etc/certificates-apache2/sites/juur-thawte.crt SSLCACertificateFile /etc/certificates-apache2/ssl.crt/id.crt </VirtualHost> EOF # Headers cleaning from client sent data; # setting headers for backend server is done in file: /etc/apache2-ssloffloader/conf.d/ssl_offload_headers cat > /etc/apache2-ssloffloader/conf.d/ssl_offload_headers <<EOF ############################################# # COMMON ############################################# 8 # UNSET COMMOND HEADERS RequestHeader unset Proxy-Client-IP RequestHeader unset X-Forwarded-For ############################################# # Apache ############################################# # CLEAN APACHE SSL HEADERS RequestHeader unset Https RequestHeader unset Ssl-Protocol RequestHeader unset Ssl-Session-Id RequestHeader unset Ssl-Cipher RequestHeader unset Ssl-Cipher-Export RequestHeader unset Ssl-Cipher-Algkeysize RequestHeader unset Ssl-Cipher-Usekeysize RequestHeader unset Ssl-Version-Library RequestHeader unset Ssl-Version-Interface RequestHeader unset Ssl-Client-M-Version RequestHeader unset Ssl-Client-M-Serial RequestHeader unset Ssl-Client-V-Start RequestHeader unset Ssl-Client-V-End RequestHeader unset Ssl-Client-S-Dn RequestHeader unset Ssl-Client-S-Dn-C RequestHeader unset Ssl-Client-S-Dn-St RequestHeader unset Ssl-Client-S-Dn-L RequestHeader unset Ssl-Client-S-Dn-O RequestHeader unset Ssl-Client-S-Dn-Ou RequestHeader unset Ssl-Client-S-Dn-Cn RequestHeader unset Ssl-Client-S-Dn-T RequestHeader unset Ssl-Client-S-Dn-I RequestHeader unset Ssl-Client-S-Dn-G RequestHeader unset Ssl-Client-S-Dn-S RequestHeader unset Ssl-Client-S-Dn-D RequestHeader unset Ssl-Client-S-Dn-Uid RequestHeader unset Ssl-Client-S-Dn-Email RequestHeader unset Ssl-Client-I-Dn RequestHeader unset Ssl-Client-I-Dn-C RequestHeader unset Ssl-Client-I-Dn-St RequestHeader unset Ssl-Client-I-Dn-L RequestHeader unset Ssl-Client-I-Dn-O RequestHeader unset Ssl-Client-I-Dn-Ou RequestHeader unset Ssl-Client-I-Dn-Cn RequestHeader unset Ssl-Client-I-Dn-T RequestHeader unset Ssl-Client-I-Dn-I RequestHeader unset Ssl-Client-I-Dn-G RequestHeader unset Ssl-Client-I-Dn-S RequestHeader unset Ssl-Client-I-Dn-D RequestHeader unset Ssl-Client-I-Dn-Uid RequestHeader unset Ssl-Client-I-Dn-Email RequestHeader unset Ssl-Client-A-Sig RequestHeader unset Ssl-Client-A-Key RequestHeader unset Ssl-Client-Cert RequestHeader unset Ssl-Client-Cert-Chain-N RequestHeader unset Ssl-Client-Verify RequestHeader unset Ssl-Server-M-Version RequestHeader unset Ssl-Server-M-Serial RequestHeader unset Ssl-Server-V-Start RequestHeader unset Ssl-Server-V-End 9 RequestHeader unset Ssl-Server-S-Dn RequestHeader unset Ssl-Server-S-Dn-C RequestHeader unset Ssl-Server-S-Dn-St RequestHeader unset Ssl-Server-S-Dn-L RequestHeader unset Ssl-Server-S-Dn-O RequestHeader unset Ssl-Server-S-Dn-Ou RequestHeader unset Ssl-Server-S-Dn-Cn RequestHeader unset Ssl-Server-S-Dn-T RequestHeader unset Ssl-Server-S-Dn-I RequestHeader unset Ssl-Server-S-Dn-G RequestHeader unset Ssl-Server-S-Dn-S RequestHeader unset Ssl-Server-S-Dn-D RequestHeader unset Ssl-Server-S-Dn-Uid RequestHeader unset Ssl-Server-S-Dn-Email RequestHeader unset Ssl-Server-I-Dn RequestHeader unset Ssl-Server-I-Dn-C RequestHeader unset Ssl-Server-I-Dn-St RequestHeader unset Ssl-Server-I-Dn-L RequestHeader unset Ssl-Server-I-Dn-O RequestHeader unset Ssl-Server-I-Dn-Ou RequestHeader unset Ssl-Server-I-Dn-Cn RequestHeader unset Ssl-Server-I-Dn-T RequestHeader unset Ssl-Server-I-Dn-I RequestHeader unset Ssl-Server-I-Dn-G RequestHeader unset Ssl-Server-I-Dn-S RequestHeader unset Ssl-Server-I-Dn-D RequestHeader unset Ssl-Server-I-Dn-Uid RequestHeader unset Ssl-Server-I-Dn-Email RequestHeader unset Ssl-Server-A-Sig RequestHeader unset Ssl-Server-A-Key RequestHeader unset Ssl-Server-Cert # SET APACHE SSL HEADERS REQUERED HEADERS FOR BACKEND SERVER FROM ENV VALUES (if they exist) RequestHeader set Https "%{HTTPS}s" env=HTTPS RequestHeader set Ssl-Protocol "%{SSL_PROTOCOL}s" env=SSL_PROTOCOL RequestHeader set Ssl-Session-Id "%{SSL_SESSION_ID}s" env=SSL_SESSION_ID RequestHeader set Ssl-Cipher "%{SSL_CIPHER}s" env=SSL_CIPHER RequestHeader set Ssl-Cipher-Export "%{SSL_CIPHER_EXPORT}s" env=SSL_CIPHER_EXPORT RequestHeader set Ssl-Cipher-Algkeysize "%{SSL_CIPHER_ALGKEYSIZE}s" env=SSL_CIPHER_ALGKEYSIZE RequestHeader set Ssl-Cipher-Usekeysize "%{SSL_CIPHER_USEKEYSIZE}s" env=SSL_CIPHER_USEKEYSIZE RequestHeader set Ssl-Version-Library "%{SSL_VERSION_LIBRARY}s" env=SSL_VERSION_LIBRARY RequestHeader set Ssl-Version-Interface "%{SSL_VERSION_INTERFACE}s" env=SSL_VERSION_INTERFACE RequestHeader set Ssl-Client-M-Version "%{SSL_CLIENT_M_VERSION}s" env=SSL_CLIENT_M_VERSION RequestHeader set Ssl-Client-M-Serial "%{SSL_CLIENT_M_SERIAL}s" env=SSL_CLIENT_M_SERIAL RequestHeader set Ssl-Client-V-Start "%{SSL_CLIENT_V_START}s" env=SSL_CLIENT_V_START RequestHeader set Ssl-Client-V-End "%{SSL_CLIENT_V_END}s" env=SSL_CLIENT_V_END RequestHeader set Ssl-Client-S-Dn "%{SSL_CLIENT_S_DN}s" env=SSL_CLIENT_S_DN RequestHeader set Ssl-Client-S-Dn-C "%{SSL_CLIENT_S_DN_C}s" env=SSL_CLIENT_S_DN_C RequestHeader set Ssl-Client-S-Dn-St "%{SSL_CLIENT_S_DN_ST}s" env=SSL_CLIENT_S_DN_ST RequestHeader set Ssl-Client-S-Dn-L "%{SSL_CLIENT_S_DN_L}s" env=SSL_CLIENT_S_DN_L RequestHeader set Ssl-Client-S-Dn-O "%{SSL_CLIENT_S_DN_O}s" env=SSL_CLIENT_S_DN_O RequestHeader set Ssl-Client-S-Dn-Ou "%{SSL_CLIENT_S_DN_OU}s" env=SSL_CLIENT_S_DN_OU RequestHeader set Ssl-Client-S-Dn-Cn "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN RequestHeader set Ssl-Client-S-Dn-T "%{SSL_CLIENT_S_DN_T}s" env=SSL_CLIENT_S_DN_T RequestHeader set Ssl-Client-S-Dn-I "%{SSL_CLIENT_S_DN_I}s" env=SSL_CLIENT_S_DN_I RequestHeader set Ssl-Client-S-Dn-G "%{SSL_CLIENT_S_DN_G}s" env=SSL_CLIENT_S_DN_G RequestHeader set Ssl-Client-S-Dn-S "%{SSL_CLIENT_S_DN_S}s" env=SSL_CLIENT_S_DN_S RequestHeader set Ssl-Client-S-Dn-D "%{SSL_CLIENT_S_DN_D}s" env=SSL_CLIENT_S_DN_D RequestHeader set Ssl-Client-S-Dn-Uid "%{SSL_CLIENT_S_DN_UID}s" env=SSL_CLIENT_S_DN_UID RequestHeader set Ssl-Client-S-Dn-Email "%{SSL_CLIENT_S_DN_Email}s" env=SSL_CLIENT_S_DN_Email 10 RequestHeader set Ssl-Client-I-Dn "%{SSL_CLIENT_I_DN}s" env=SSL_CLIENT_I_DN RequestHeader set Ssl-Client-I-Dn-C "%{SSL_CLIENT_I_DN_C}s" env=SSL_CLIENT_I_DN_C RequestHeader set Ssl-Client-I-Dn-St "%{SSL_CLIENT_I_DN_ST}s" env=SSL_CLIENT_I_DN_ST RequestHeader set Ssl-Client-I-Dn-L "%{SSL_CLIENT_I_DN_L}s" env=SSL_CLIENT_I_DN_L RequestHeader set Ssl-Client-I-Dn-O "%{SSL_CLIENT_I_DN_O}s" env=SSL_CLIENT_I_DN_O RequestHeader set Ssl-Client-I-Dn-Ou "%{SSL_CLIENT_I_DN_OU}s" env=SSL_CLIENT_I_DN_OU RequestHeader set Ssl-Client-I-Dn-Cn "%{SSL_CLIENT_I_DN_CN}s" env=SSL_CLIENT_I_DN_CN RequestHeader set Ssl-Client-I-Dn-T "%{SSL_CLIENT_I_DN_T}s" env=SSL_CLIENT_I_DN_T RequestHeader set Ssl-Client-I-Dn-I "%{SSL_CLIENT_I_DN_I}s" env=SSL_CLIENT_I_DN_I RequestHeader set Ssl-Client-I-Dn-G "%{SSL_CLIENT_I_DN_G}s" env=SSL_CLIENT_I_DN_G RequestHeader set Ssl-Client-I-Dn-S "%{SSL_CLIENT_I_DN_S}s" env=SSL_CLIENT_I_DN_S RequestHeader set Ssl-Client-I-Dn-D "%{SSL_CLIENT_I_DN_D}s" env=SSL_CLIENT_I_DN_D RequestHeader set Ssl-Client-I-Dn-Uid "%{SSL_CLIENT_I_DN_UID}s" env=SSL_CLIENT_I_DN_UID RequestHeader set Ssl-Client-I-Dn-Email "%{SSL_CLIENT_I_DN_Email}s" env=SSL_CLIENT_I_DN_Email RequestHeader set Ssl-Client-A-Sig "%{SSL_CLIENT_A_SIG}s" env=SSL_CLIENT_A_SIG RequestHeader set Ssl-Client-A-Key "%{SSL_CLIENT_A_KEY}s" env=SSL_CLIENT_A_KEY RequestHeader set Ssl-Client-Cert "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT RequestHeader set Ssl-Client-Cert-Chain-N "%{SSL_CLIENT_CERT_CHAIN_n}s" env=SSL_CLIENT_CERT_CHAIN_n RequestHeader set Ssl-Client-Verify "%{SSL_CLIENT_VERIFY}s" env=SSL_CLIENT_VERIFY RequestHeader set Ssl-Server-M-Version "%{SSL_SERVER_M_VERSION}s" env=SSL_SERVER_M_VERSION RequestHeader set Ssl-Server-M-Serial "%{SSL_SERVER_M_SERIAL}s" env=SSL_SERVER_M_SERIAL RequestHeader set Ssl-Server-V-Start "%{SSL_SERVER_V_START}s" env=SSL_SERVER_V_START RequestHeader set Ssl-Server-V-End "%{SSL_SERVER_V_END}s" env=SSL_SERVER_V_END RequestHeader set Ssl-Server-S-Dn "%{SSL_SERVER_S_DN}s" env=SSL_SERVER_S_DN RequestHeader set Ssl-Server-S-Dn-C "%{SSL_SERVER_S_DN_C}s" env=SSL_SERVER_S_DN_C RequestHeader set Ssl-Server-S-Dn-St "%{SSL_SERVER_S_DN_ST}s" env=SSL_SERVER_S_DN_ST RequestHeader set Ssl-Server-S-Dn-L "%{SSL_SERVER_S_DN_L}s" env=SSL_SERVER_S_DN_L RequestHeader set Ssl-Server-S-Dn-O "%{SSL_SERVER_S_DN_O}s" env=SSL_SERVER_S_DN_O RequestHeader set Ssl-Server-S-Dn-Ou "%{SSL_SERVER_S_DN_OU}s" env=SSL_SERVER_S_DN_OU RequestHeader set Ssl-Server-S-Dn-Cn "%{SSL_SERVER_S_DN_CN}s" env=SSL_SERVER_S_DN_CN RequestHeader set Ssl-Server-S-Dn-T "%{SSL_SERVER_S_DN_T}s" env=SSL_SERVER_S_DN_T RequestHeader set Ssl-Server-S-Dn-I "%{SSL_SERVER_S_DN_I}s" env=SSL_SERVER_S_DN_I RequestHeader set Ssl-Server-S-Dn-G "%{SSL_SERVER_S_DN_G}s" env=SSL_SERVER_S_DN_G RequestHeader set Ssl-Server-S-Dn-S "%{SSL_SERVER_S_DN_S}s" env=SSL_SERVER_S_DN_S RequestHeader set Ssl-Server-S-Dn-D "%{SSL_SERVER_S_DN_D}s" env=SSL_SERVER_S_DN_D RequestHeader set Ssl-Server-S-Dn-Uid "%{SSL_SERVER_S_DN_UID}s" env=SSL_SERVER_S_DN_UID RequestHeader set Ssl-Server-S-Dn-Email "%{SSL_SERVER_S_DN_Email}s" env=SSL_SERVER_S_DN_Email RequestHeader set Ssl-Server-I-Dn "%{SSL_SERVER_I_DN}s" env=SSL_SERVER_I_DN RequestHeader set Ssl-Server-I-Dn-C "%{SSL_SERVER_I_DN_C}s" env=SSL_SERVER_I_DN_C RequestHeader set Ssl-Server-I-Dn-St "%{SSL_SERVER_I_DN_ST}s" env=SSL_SERVER_I_DN_ST RequestHeader set Ssl-Server-I-Dn-L "%{SSL_SERVER_I_DN_L}s" env=SSL_SERVER_I_DN_L RequestHeader set Ssl-Server-I-Dn-O "%{SSL_SERVER_I_DN_O}s" env=SSL_SERVER_I_DN_O RequestHeader set Ssl-Server-I-Dn-Ou "%{SSL_SERVER_I_DN_OU}s" env=SSL_SERVER_I_DN_OU RequestHeader set Ssl-Server-I-Dn-Cn "%{SSL_SERVER_I_DN_CN}s" env=SSL_SERVER_I_DN_CN RequestHeader set Ssl-Server-I-Dn-T "%{SSL_SERVER_I_DN_T}s" env=SSL_SERVER_I_DN_T RequestHeader set Ssl-Server-I-Dn-I "%{SSL_SERVER_I_DN_I}s" env=SSL_SERVER_I_DN_I RequestHeader set Ssl-Server-I-Dn-G "%{SSL_SERVER_I_DN_G}s" env=SSL_SERVER_I_DN_G RequestHeader set Ssl-Server-I-Dn-S "%{SSL_SERVER_I_DN_S}s" env=SSL_SERVER_I_DN_S RequestHeader set Ssl-Server-I-Dn-D "%{SSL_SERVER_I_DN_D}s" env=SSL_SERVER_I_DN_D RequestHeader set Ssl-Server-I-Dn-Uid "%{SSL_SERVER_I_DN_UID}s" env=SSL_SERVER_I_DN_UID RequestHeader set Ssl-Server-I-Dn-Email "%{SSL_SERVER_I_DN_Email}s" env=SSL_SERVER_I_DN_Email RequestHeader set Ssl-Server-A-Sig "%{SSL_SERVER_A_SIG}s" env=SSL_SERVER_A_SIG RequestHeader set Ssl-Server-A-Key "%{SSL_SERVER_A_KEY}s" env=SSL_SERVER_A_KEY RequestHeader set Ssl-Server-Cert "%{SSL_SERVER_CERT}s" env=SSL_SERVER_CERT ############################################# # Weblogic ############################################# # CLEAN WEBLOGIC HEADERS RequestHeader unset WL-Proxy-SSL 11 RequestHeader unset WL-Proxy-Client-Cert RequestHeader unset WL-Proxy-Client-Keysize RequestHeader unset WL-Proxy-Client-Secretkeysize RequestHeader unset WL-Proxy-Client-IP RequestHeader unset X-WebLogic-KeepAliveSecs RequestHeader unset X-WebLogic-Request-ClusterInfo RequestHeader unset x-weblogic-cluster-hash # SET HEADERS FROM ENV FOR WEBLOGIC RequestHeader set WL-Proxy-SSL "true" env=HTTPS RequestHeader set WL-Proxy-Client-Keysize "%{SSL_CIPHER_USEKEYSIZE}s" env=HTTPS RequestHeader set WL-Proxy-Client-Secretkeysize "%{SSL_CIPHER_USEKEYSIZE}s" env=HTTPS RequestHeader set WL-Proxy-Client-IP "%{REMOTE_ADDR}s" RequestHeader set Proxy-Client-IP "%{REMOTE_ADDR}s" RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s" RequestHeader set X-WebLogic-KeepAliveSecs "30" # Set Cert from SSL_CLIENT_CERT env value + clean it for Weblogic (only cert content) RequestHeader set WL-Proxy-Client-Cert "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert "-----BEGIN CERTIFICATE-----" "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert "-----END CERTIFICATE-----" "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT RequestHeader edit WL-Proxy-Client-Cert " " "" env=SSL_CLIENT_CERT EOF # Default SSLClientVerify path for all the hosts # defined in file: /etc/apache2-ssloffloader/conf.d/ssl_smartcard_auth_url cat > /etc/apache2-ssloffloader/conf.d/ssl_smartcard_auth_url <<EOF # URL for client cert auth - base websites <Location ~ "auth/smartcard"> SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient optional SSLVerifyDepth 2 </Location> # One Java app <Location ~ "idLogin"> SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient optional SSLVerifyDepth 2 12 </Location> EOF # Forward request to balancer.proxy # proxy configuration is defined in file: /etc/apache2/mods-enabled/proxy.conf cat > /etc/apache2-ssloffloader/mods-enabled/proxy.conf <<EOF <IfModule mod_proxy.c> #turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email. ProxyRequests Off <Proxy *> AddDefaultCharset off Order deny,allow Allow from all </Proxy> # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block ProxyVia Off # Nessesary that Host: in header would remain intact ProxyPreserveHost On ProxyTimeout 6000 </IfModule> EOF 4.3.2 SSL offloader's informative tasks # Log requests # logging is defined in file: /etc/apache2-ssloffloader/conf.d/logging cat > /etc/apache2-ssloffloader/conf.d/logging <<EOF LogFormat "%V:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" custom_vhost_combined ErrorLog "|/usr/bin/logger -p local1.error -t apache2-ssloffloader" CustomLog "|/usr/bin/logger -p local1.info -t apache2-ssloffloader" custom_vhost_combined EOF # Show SSL offloader status # defined in file: /etc/apache2-ssloffloader/conf.d/serverinfo-status cat > /etc/apache2-ssloffloader/conf.d/serverinfo-status <<EOF ExtendedStatus On <Location /ssloffloader-status> SetHandler server-status Order Allow,Deny Allow from 192.168.252 172.19 </Location> ProxyPass EOF 4.3.3 /ssloffloader-status ! Load balancer's functional task # Take requests for localhost and port 80 # name based virtualhosts are defined in directory: /etc/apache2-balancer/sites-enabled # (I'd recommend use filname format: domain.subdomain.subdomain.conf) 13 cat > /etc/apache2-balancer/sites-enabled/ee.example.example.conf <<EOF <VirtualHost balancer.proxy:80> ServerName example.example.ee ServerAlias data.example.ee alias.example.ee ProxyPass / balancer://example.balancer/ </VirtualHost> EOF # Create balancers # configured in directory: /etc/apache2-balancer/balancers cat > /etc/apache2-balancer/balancers/example.balancer.conf <<EOF # This is example balancer, you will have to change it later <Proxy balancer://example.balancer> BalancerMember http://10.0.6.153:80 BalancerMember http://10.0.6.154:80 </Proxy> EOF # Configure proxy # proxy configured in /etc/apache2-balancer/mods-enabled/proxy.conf cat > /etc/apache2-balancer/mods-enabled/proxy.conf <<EOF <IfModule mod_proxy.c> #turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email. ProxyRequests Off <Proxy *> AddDefaultCharset off Order deny,allow Allow from all </Proxy> # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block ProxyVia Off # Nessesary that Host: in header would remain intact ProxyPreserveHost On ProxyTimeout 6000 # FIX: needed so that mod-itk would not exit (same tcpsession different host problem) # TODO: SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </IfModule> EOF 4.3.4 Load balancer's informative tasks # Log requests # logging is defined in file: /etc/apache2-balancer/conf.d/logging cat > /etc/apache2-balancer/conf.d/logging <<EOF LogFormat "%V:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" custom_vhost_combined ErrorLog "|/usr/bin/logger -p local1.error -t apache2-balancer" CustomLog "|/usr/bin/logger -p local1.info -t apache2-balancer" custom_vhost_combined EOF # Show load balancer status # defined in file: /etc/apache2balancer/conf.d/balancerstatus 14 cat > /etc/apache2balancer/conf.d/balancerstatus <<EOF ExtendedStatus On <Location /balancerstatus> SetHandler serverstatus Order Allow,Deny Allow from 192.168.252 172.19 </Location> ProxyPass /balancerstatus ! EOF # Show and let admin to configure balancers # defined in file: /etc/apache2-balancer/conf.d/balancer-manager cat > /etc/apache2-balancer/conf.d/balancer-manager <<EOF # Show LB balancer status <Location /balancer-manager> SetHandler balancer-manager Order Allow,Deny Allow from 192.168.252 172.19 </Location> ProxyPass EOF 4.4 /balancer-manager ! Confirm that everything is working 1. 2. 3. 4. 5. 6. 4.5 Reboot netstat -penat | egrep 443|80 http://server/ssloffloader-status http://server/balancer-status http://server/balancer-manager Configure additional hosts as needed Configuration procedure examples 4.5.1 Add new backend servers, and domain to be SSL offloaded and load balanced. 1.) • Choices Different IP-s and 443 port for new SSL host (you have to add new IP to server, configure Listen for new IP, both 80 and 443) • Same IP-s, but different port for SSL host 2.) Steps 1. Only if you need a new VirtualHost with different certificate for that domain: define new SSL VirtualHost in file: /etc/apache2-ssloffloader/sitesenabled/com.anotherdomain.subdomain.conf from what ProxyPass to balancer.proxy 2. If the balancer is not defined: define new balancer for “anotherwebservers.subnet.kit” server group in file: /etc/apache2balancer/balancers/kit.subnet.anotherwebservers.conf 15 3. Create new named VirtualHost for “subdomain.anotherdomain.com” in file: /etc/apache2-balancer/sites-enabled/com.anotherdomain.subdomain.conf 3.) Configure # Create another virtualhost for new domain and certificate cat > /etc/apache2-ssloffloader/sites-enabled/com.anotherdomain.subdomain.conf <<EOF Listen ssloffloader.proxy:444 <VirtualHost ssloffloader.proxy:444> ProxyPass / http://balancer.proxy/ # + Certificates SSLEngine on SSLCertificateFile /etc/certificates-apache2/sites/subdomain.anotherdomain.com.crt SSLCertificateKeyFile /etc/certificates-apache2/sites/subdomain.anotherdomain.com.key SSLCertificateChainFile /etc/certificates-apache2/sites/juur-thawte.crt SSLCACertificateFile /etc/certificates-apache2/ssl.crt/id.crt </VirtualHost> EOF # Create new balancer:// cat > /etc/apache2-balancer/balancers/kit.subnet.anotherwebservers.conf <<EOF <Proxy balancer://kit.subnet.anotherwebserver> BalancerMember http://10.0.6.201:80 BalancerMember http://10.0.6.202:80 </Proxy> EOF # Create new balancer cat > /etc/apache2-balancer/sites-enabled/com.anotherdomain.subdomain.conf <<EOF <VirtualHost balancer.proxy:80> ServerName subdomain.anotherdomain.com ProxyPass / balancer://kit.subnet.anotherwebserver/ </VirtualHost> EOF 4.) Testing 1. Change your hosts file and make usual HTTP(S) request (or telnet server 80\n GET / HTTP/1.0\n Host: subdomain.anotherdomain.com) 4.5.2 1.) Add a new VirtualHost with sticky-sessions controlled in Load Balancer (can be used for Apache2, Tomcat, Jboss and Weblogic backends.) Steps 1. Do as in step 4.5.1 Add new backend servers, and domain to be SSL offloaded and load balanced. but create different balancer. 2. Create proxy balancer and set route_id's for nodes. 3. Enable mod_headers, if not enabled, and set stickysession name + create rule for adding cookie with that name and route_id, if it changes. (Route_id is taken from stickysession_name=sometext.this_value_is_taken. ) 16 2.) Configuration cat > /etc/apache2-balancer/balancers/kit.subnet.weblogic-app-servers__application.conf <<EOF Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" \ env=BALANCER_ROUTE_CHANGED <Proxy balancer://kit.subnet.weblogic-app-servers__application> BalancerMember http://10.0.6.136:7010 route=1 BalancerMember http://10.0.6.136:7010 route=2 ProxySet stickysession=ROUTEID </Proxy> EOF 3.) Testing 1. Order of getting correct routeid from stickysession_name is: 1.) from URL, 2.) from cookie. That means that you can test solution by going: http://server/? ROUTEID=.change_id_to_test and see results from https://server/balancer-manager and https://server/balancer-status 4.5.3 Multiply SSL offloaders and balancers for high availability (active-active mode) 1. You need to have atleast to or more servers running, with same “SSL offloader and balancer” configuration + boot scripts. 2. Steps to do: do install steps + copy contents of /etc/apache2-ssloffloader/sites-enabled, /etc/apache2-balancer/balancers and /etc/apache2-balancer/sites-enabled 3. If you have followed logic described in this manual, you only have to change “ssloffloader.proxy” in /etc/hosts for correct IP. 4.6 Upgrading 4.6.1 OS Uprading from Debian Squeeze or Ubuntu Maverick to newer should be without complications and additional steps. It will be tested, and if needed, additional steps will be added to here. 4.6.2 SSL offloader and Load balancer concept implementation 1. Backup (4.7.1 Backup) 2. Do install steps by this document's manual (4.2 Install) 4.7 Backup and restore 4.7.1 Backup /etc/*apache2* (apache2-ssloffloader, apache2-balancer, certificates-apache2) must be backed up regularly. 4.7.2 Restore Install steps + copy apache2-ssloffloader, apache2-balancer and certificates-apache2 back up /etc folder. 17 5. Backend server configuration 5.1 Apache2 1.) Description of steps 1. Install mod_rpaf (so correct env values for client IP are set) 2. From headers set env values 2.) Steps # Additional nessesary install apt-get install libapache2-mod-rpaf # Enable nessesary modules a2enmod headers rpaf # Configure mod_rpaf – so correct REMOTE_ADDRESS is set # Edit /etc/apache2/mods-enabled/rpaf.conf (Read more: http://stderr.net/apache/rpaf/) RPAFproxy_ips WRITE_BALANCER_PRIMARY_INTERNFACE_IP_HERE # Create SSL env values from HTTP headers # # Only from SSL offloader and balancer should be requests allowed, or major security problem (For example, some client sends SSL_CLIENT_CERTIFICATE header and its not cleaned) cat > /etc/apache2/conf.d/ssl_env_values_from_headers <<EOF SetEnvIf Https "(..*)" HTTPS=\$1 SetEnvIf Ssl-Protocol "(..*)" SSL_PROTOCOL=\$1 SetEnvIf Ssl-Session-Id "(..*)" SSL_SESSION_ID=\$1 SetEnvIf Ssl-Cipher "(..*)" SSL_CIPHER=\$1 SetEnvIf Ssl-Cipher-Export "(..*)" SSL_CIPHER_EXPORT=\$1 SetEnvIf Ssl-Cipher-Algkeysize "(..*)" SSL_CIPHER_ALGKEYSIZE=\$1 SetEnvIf Ssl-Cipher-Usekeysize "(..*)" SSL_CIPHER_USEKEYSIZE=\$1 SetEnvIf Ssl-Version-Library "(..*)" SSL_VERSION_LIBRARY=\$1 SetEnvIf Ssl-Version-Interface "(..*)" SSL_VERSION_INTERFACE=\$1 SetEnvIf Ssl-Client-M-Version "(..*)" SSL_CLIENT_M_VERSION=\$1 SetEnvIf Ssl-Client-M-Serial "(..*)" SSL_CLIENT_M_SERIAL=\$1 SetEnvIf Ssl-Client-V-Start "(..*)" SSL_CLIENT_V_START=\$1 SetEnvIf Ssl-Client-V-End "(..*)" SSL_CLIENT_V_END=\$1 SetEnvIf Ssl-Client-S-Dn "(..*)" SSL_CLIENT_S_DN=\$1 SetEnvIf Ssl-Client-S-Dn-C "(..*)" SSL_CLIENT_S_DN_C=\$1 SetEnvIf Ssl-Client-S-Dn-St "(..*)" SSL_CLIENT_S_DN_ST=\$1 SetEnvIf Ssl-Client-S-Dn-L "(..*)" SSL_CLIENT_S_DN_L=\$1 SetEnvIf Ssl-Client-S-Dn-O "(..*)" SSL_CLIENT_S_DN_O=\$1 SetEnvIf Ssl-Client-S-Dn-Ou "(..*)" SSL_CLIENT_S_DN_OU=\$1 SetEnvIf Ssl-Client-S-Dn-Cn "(..*)" SSL_CLIENT_S_DN_CN=\$1 SetEnvIf Ssl-Client-S-Dn-T "(..*)" SSL_CLIENT_S_DN_T=\$1 SetEnvIf Ssl-Client-S-Dn-I "(..*)" SSL_CLIENT_S_DN_I=\$1 SetEnvIf Ssl-Client-S-Dn-G "(..*)" SSL_CLIENT_S_DN_G=\$1 SetEnvIf Ssl-Client-S-Dn-S "(..*)" SSL_CLIENT_S_DN_S=\$1 SetEnvIf Ssl-Client-S-Dn-D "(..*)" SSL_CLIENT_S_DN_D=\$1 SetEnvIf Ssl-Client-S-Dn-Uid "(..*)" SSL_CLIENT_S_DN_UID=\$1 18 SetEnvIf Ssl-Client-S-Dn-Email "(..*)" SSL_CLIENT_S_DN_Email=\$1 SetEnvIf Ssl-Client-I-Dn "(..*)" SSL_CLIENT_I_DN=\$1 SetEnvIf Ssl-Client-I-Dn-C "(..*)" SSL_CLIENT_I_DN_C=\$1 SetEnvIf Ssl-Client-I-Dn-St "(..*)" SSL_CLIENT_I_DN_ST=\$1 SetEnvIf Ssl-Client-I-Dn-L "(..*)" SSL_CLIENT_I_DN_L=\$1 SetEnvIf Ssl-Client-I-Dn-O "(..*)" SSL_CLIENT_I_DN_O=\$1 SetEnvIf Ssl-Client-I-Dn-Ou "(..*)" SSL_CLIENT_I_DN_OU=\$1 SetEnvIf Ssl-Client-I-Dn-Cn "(..*)" SSL_CLIENT_I_DN_CN=\$1 SetEnvIf Ssl-Client-I-Dn-T "(..*)" SSL_CLIENT_I_DN_T=\$1 SetEnvIf Ssl-Client-I-Dn-I "(..*)" SSL_CLIENT_I_DN_I=\$1 SetEnvIf Ssl-Client-I-Dn-G "(..*)" SSL_CLIENT_I_DN_G=\$1 SetEnvIf Ssl-Client-I-Dn-S "(..*)" SSL_CLIENT_I_DN_S=\$1 SetEnvIf Ssl-Client-I-Dn-D "(..*)" SSL_CLIENT_I_DN_D=\$1 SetEnvIf Ssl-Client-I-Dn-Uid "(..*)" SSL_CLIENT_I_DN_UID=\$1 SetEnvIf Ssl-Client-I-Dn-Email "(..*)" SSL_CLIENT_I_DN_Email=\$1 SetEnvIf Ssl-Client-A-Sig "(..*)" SSL_CLIENT_A_SIG=\$1 SetEnvIf Ssl-Client-A-Key "(..*)" SSL_CLIENT_A_KEY=\$1 SetEnvIf Ssl-Client-Cert "(..*)" SSL_CLIENT_CERT=\$1 SetEnvIf Ssl-Client-Cert-Chain-N "(..*)" SSL_CLIENT_CERT_CHAIN_n=\$1 SetEnvIf Ssl-Client-Verify "(..*)" SSL_CLIENT_VERIFY=\$1 SetEnvIf Ssl-Server-M-Version "(..*)" SSL_SERVER_M_VERSION=\$1 SetEnvIf Ssl-Server-M-Serial "(..*)" SSL_SERVER_M_SERIAL=\$1 SetEnvIf Ssl-Server-V-Start "(..*)" SSL_SERVER_V_START=\$1 SetEnvIf Ssl-Server-V-End "(..*)" SSL_SERVER_V_END=\$1 SetEnvIf Ssl-Server-S-Dn "(..*)" SSL_SERVER_S_DN=\$1 SetEnvIf Ssl-Server-S-Dn-C "(..*)" SSL_SERVER_S_DN_C=\$1 SetEnvIf Ssl-Server-S-Dn-St "(..*)" SSL_SERVER_S_DN_ST=\$1 SetEnvIf Ssl-Server-S-Dn-L "(..*)" SSL_SERVER_S_DN_L=\$1 SetEnvIf Ssl-Server-S-Dn-O "(..*)" SSL_SERVER_S_DN_O=\$1 SetEnvIf Ssl-Server-S-Dn-Ou "(..*)" SSL_SERVER_S_DN_OU=\$1 SetEnvIf Ssl-Server-S-Dn-Cn "(..*)" SSL_SERVER_S_DN_CN=\$1 SetEnvIf Ssl-Server-S-Dn-T "(..*)" SSL_SERVER_S_DN_T=\$1 SetEnvIf Ssl-Server-S-Dn-I "(..*)" SSL_SERVER_S_DN_I=\$1 SetEnvIf Ssl-Server-S-Dn-G "(..*)" SSL_SERVER_S_DN_G=\$1 SetEnvIf Ssl-Server-S-Dn-S "(..*)" SSL_SERVER_S_DN_S=\$1 SetEnvIf Ssl-Server-S-Dn-D "(..*)" SSL_SERVER_S_DN_D=\$1 SetEnvIf Ssl-Server-S-Dn-Uid "(..*)" SSL_SERVER_S_DN_UID=\$1 SetEnvIf Ssl-Server-S-Dn-Email "(..*)" SSL_SERVER_S_DN_Email=\$1 SetEnvIf Ssl-Server-I-Dn "(..*)" SSL_SERVER_I_DN=\$1 SetEnvIf Ssl-Server-I-Dn-C "(..*)" SSL_SERVER_I_DN_C=\$1 SetEnvIf Ssl-Server-I-Dn-St "(..*)" SSL_SERVER_I_DN_ST=\$1 SetEnvIf Ssl-Server-I-Dn-L "(..*)" SSL_SERVER_I_DN_L=\$1 SetEnvIf Ssl-Server-I-Dn-O "(..*)" SSL_SERVER_I_DN_O=\$1 SetEnvIf Ssl-Server-I-Dn-Ou "(..*)" SSL_SERVER_I_DN_OU=\$1 SetEnvIf Ssl-Server-I-Dn-Cn "(..*)" SSL_SERVER_I_DN_CN=\$1 SetEnvIf Ssl-Server-I-Dn-T "(..*)" SSL_SERVER_I_DN_T=\$1 SetEnvIf Ssl-Server-I-Dn-I "(..*)" SSL_SERVER_I_DN_I=\$1 SetEnvIf Ssl-Server-I-Dn-G "(..*)" SSL_SERVER_I_DN_G=\$1 SetEnvIf Ssl-Server-I-Dn-S "(..*)" SSL_SERVER_I_DN_S=\$1 SetEnvIf Ssl-Server-I-Dn-D "(..*)" SSL_SERVER_I_DN_D=\$1 SetEnvIf Ssl-Server-I-Dn-Uid "(..*)" SSL_SERVER_I_DN_UID=\$1 SetEnvIf Ssl-Server-I-Dn-Email "(..*)" SSL_SERVER_I_DN_Email=\$1 SetEnvIf Ssl-Server-A-Sig "(..*)" SSL_SERVER_A_SIG=\$1 SetEnvIf Ssl-Server-A-Key "(..*)" SSL_SERVER_A_KEY=\$1 SetEnvIf Ssl-Server-Cert "(..*)" SSL_SERVER_CERT=\$1 # RequestHeader unset Https RequestHeader unset Ssl-Protocol RequestHeader unset Ssl-Session-Id RequestHeader unset Ssl-Cipher RequestHeader unset Ssl-Cipher-Export RequestHeader unset Ssl-Cipher-Algkeysize 19 RequestHeader unset Ssl-Cipher-Usekeysize RequestHeader unset Ssl-Version-Library RequestHeader unset Ssl-Version-Interface RequestHeader unset Ssl-Client-M-Version RequestHeader unset Ssl-Client-M-Serial RequestHeader unset Ssl-Client-V-Start RequestHeader unset Ssl-Client-V-End RequestHeader unset Ssl-Client-S-Dn RequestHeader unset Ssl-Client-S-Dn-C RequestHeader unset Ssl-Client-S-Dn-St RequestHeader unset Ssl-Client-S-Dn-L RequestHeader unset Ssl-Client-S-Dn-O RequestHeader unset Ssl-Client-S-Dn-Ou RequestHeader unset Ssl-Client-S-Dn-Cn RequestHeader unset Ssl-Client-S-Dn-T RequestHeader unset Ssl-Client-S-Dn-I RequestHeader unset Ssl-Client-S-Dn-G RequestHeader unset Ssl-Client-S-Dn-S RequestHeader unset Ssl-Client-S-Dn-D RequestHeader unset Ssl-Client-S-Dn-Uid RequestHeader unset Ssl-Client-S-Dn-Email RequestHeader unset Ssl-Client-I-Dn RequestHeader unset Ssl-Client-I-Dn-C RequestHeader unset Ssl-Client-I-Dn-St RequestHeader unset Ssl-Client-I-Dn-L RequestHeader unset Ssl-Client-I-Dn-O RequestHeader unset Ssl-Client-I-Dn-Ou RequestHeader unset Ssl-Client-I-Dn-Cn RequestHeader unset Ssl-Client-I-Dn-T RequestHeader unset Ssl-Client-I-Dn-I RequestHeader unset Ssl-Client-I-Dn-G RequestHeader unset Ssl-Client-I-Dn-S RequestHeader unset Ssl-Client-I-Dn-D RequestHeader unset Ssl-Client-I-Dn-Uid RequestHeader unset Ssl-Client-I-Dn-Email RequestHeader unset Ssl-Client-A-Sig RequestHeader unset Ssl-Client-A-Key RequestHeader unset Ssl-Client-Cert RequestHeader unset Ssl-Client-Cert-Chain-N RequestHeader unset Ssl-Client-Verify RequestHeader unset Ssl-Server-M-Version RequestHeader unset Ssl-Server-M-Serial RequestHeader unset Ssl-Server-V-Start RequestHeader unset Ssl-Server-V-End RequestHeader unset Ssl-Server-S-Dn RequestHeader unset Ssl-Server-S-Dn-C RequestHeader unset Ssl-Server-S-Dn-St RequestHeader unset Ssl-Server-S-Dn-L RequestHeader unset Ssl-Server-S-Dn-O RequestHeader unset Ssl-Server-S-Dn-Ou RequestHeader unset Ssl-Server-S-Dn-Cn RequestHeader unset Ssl-Server-S-Dn-T RequestHeader unset Ssl-Server-S-Dn-I RequestHeader unset Ssl-Server-S-Dn-G RequestHeader unset Ssl-Server-S-Dn-S RequestHeader unset Ssl-Server-S-Dn-D RequestHeader unset Ssl-Server-S-Dn-Uid RequestHeader unset Ssl-Server-S-Dn-Email RequestHeader unset Ssl-Server-I-Dn RequestHeader unset Ssl-Server-I-Dn-C RequestHeader unset Ssl-Server-I-Dn-St RequestHeader unset Ssl-Server-I-Dn-L 20 RequestHeader unset Ssl-Server-I-Dn-O RequestHeader unset Ssl-Server-I-Dn-Ou RequestHeader unset Ssl-Server-I-Dn-Cn RequestHeader unset Ssl-Server-I-Dn-T RequestHeader unset Ssl-Server-I-Dn-I RequestHeader unset Ssl-Server-I-Dn-G RequestHeader unset Ssl-Server-I-Dn-S RequestHeader unset Ssl-Server-I-Dn-D RequestHeader unset Ssl-Server-I-Dn-Uid RequestHeader unset Ssl-Server-I-Dn-Email RequestHeader unset Ssl-Server-A-Sig RequestHeader unset Ssl-Server-A-Key RequestHeader unset Ssl-Server-Cert EOF 5.2 Weblogic Configuration for the Weblogic is the same as you would be using mod_weblogic or F5, you have to set checkbox in Weblogic Console to Client Cert Proxy Enabled, or in deployment's weblogic.xml enable tag client-cert-proxy-enabled. • • 5.3 http://www.google.com/search?q=Client+Cert+Proxy+Enabled+weblogic http://www.google.com/search?q=client-cert-proxy-enabled Jboss, Tomcat If SSLoffloader is configured correctly, no additional configuration in Tomcat or Jboss is needed. 21 6. 6.1 Configuration recommendations/notes Apache 1. Keep in mind, that Apache2 configuration is read linearly. (If you first do ProxyPass and then set some headers or do some cheks, user will be already at proxyed.) 2. In configurations don't use RewriteRule /something /otherthing [QSA,P] or the webserver will make queries to its DNS resolve, but use [QSA,PT] (passthrough, not proxy) – also using P flag is security hole through what your internal or other websites can be attacked (it acts as anonymous proxy). 6.2 Loadbalancing 1. Use sticky sessions if you are not certain, that your applications fully and correctly support fail over – if one server should die, then only users from that server are directed to other server. (See also: 4.5.2Add a new VirtualHost with sticky-sessions controlled in Load Balancer (can be used for Apache2, Tomcat, Jboss and Weblogic backends.)) 2. If your backendserver uses mod-itk (or for some other reason) can't handle multiple requests in same TCP session to different virtualhosts, use session terminating for that host. (http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass search: “disablereuse”) 22 7. Known problems • Currently in multiline texts newlines are replaced with spaces in mod_headers, because of that SSL_*_CERT will not work. It's expected behavior, because HTTP headers must be one liners. Its possible to fix the problem by using RewriteMap and external program, when setting Apache env value in backend server. It is possible to use SSL_CLIENT_S_DN instead. 23 8. Links 1. http://httpd.apache.org/docs/current/mod/mod_proxy.html 2. http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html 3. http://httpd.apache.org/docs/current/mod/worker.html 24 9. 9.1 Appendix How SSL offload is configured usually and how with this solution 9.1.1 Common configuration's example TODO 9.1.2 This solution's example TODO 9.2 Short comparison between mod_weblogic and mod_balancer stickyness and fail over 9.2.1 Mod_weblogic (The common use case) to user is sent cookie, SESSIONNAME=RANDOMID! primary_servers_id!secondary_servers_id from Weblogic server (backend server has to do its own session replication); if user makes a new request, mod_weblogic gets the value of primary server from the cookie, checks if it works; if not as fallback secondary is used. See also: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/plugins/apache.html 9.2.2 Mod_balancer Route id for route is set in balancer:// definition, from SESSIONNAME=RANDOMID.route_id prefered route is got, if route does not answer, next is chosen. Usually route_id is set from backend server, but its also possible to set it from load balancer (see: 4.5.2Add a new VirtualHost with sticky-sessions controlled in Load Balancer (can be used for Apache2, Tomcat, Jboss and Weblogic backends.)) 9.3 Helpful commands man apache2 # :) apache2 -V # show version with compile parameters (google for Apache2 MPM, prefork vs worker and itk) 9.4 Helpful tuning directives Read: 1. http://httpd.apache.org/docs/current/mod/worker.html 2. http://httpd.apache.org/docs/current/mod/mpm_common.html 9.5 Helpful security directives Read: 1. http://httpd.apache.org/docs/current/misc/security_tips.html 25 9.6 How to create necessary headers setting file in ruby Note: • This is only for Apache, Jboss and Tomcat, and not for Weblogic. Description: 1. From http://httpd.apache.org/docs/current/mod/mod_ssl.html find (SSL-related variables:) and create env.txt. On each line should be one environment value. 2. In SSL offloader config: Replace all with “Header unset Header-Name”, 'RequestHeader set Ssl-Env-Name "%{SSL_ENV_NAME}s" env=SSL_ENV_NAME' , (http://httpd.apache.org/docs/current/mod/mod_headers.html) 3. In Backend server config: (see: 5Backend server configuration) Steps: # UNSET HEADERS (ssloffloader) print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-'); "RequestHeader unset " + header}.join("\n") # SET HEADERS (ssloffloader) print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-'); "RequestHeader set "+header+" \"%{"+env+"}s\" env="+env }.join("\n") # SET ENV VALUES FROM HEADERS (backend server) print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-'); "SetEnvIf #{header} \"(..*)\" #{env}=\\$1" }.join("\n") # UNSET HEADERS (backend server) (we don't need them any more) print File.new('env.txt').read.split("\n").collect{|env| header=env.downcase.split('_').collect{|e|e.capitalize}.join('-'); "RequestHeader unset " + header}.join("\n") 26