I use an apache2
server configured as a reverse proxy to access an internal service. To protect this service from unauthorized access I would like to use a certificate-based client authentication.
Current site configuration which works fine without client authentication:
<VirtualHost api.example.com:50002>
SSLEngine on
SSLCertificateFile /srv/ssl/api.example.com.crt
SSLCertificateKeyFile /srv/ssl/api.example.com.key
ProxyPass "/" "http://127.0.0.1:50002/"
ProxyPassReverse "/" "http://127.0.0.1:50002/"
ProxyPreserveHost on
LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
In order to enable certificate-based client authentication, I add these lines to the site configuration:
SSLCACertificateFile /srv/example.com.crt
SSLVerifyClient require
This works fine but allows ANY client with a certificate signed by the referenced CA (this is too permissive). Furthermore, it requires all possible CA to be known.
I rather want to maintain a local copy of the few allowed clients certificate (some of which may be signed with a known CA and some other may be signed with an unknown CA certificate). The only thing that matters is that the certificate is in the "allow" list.