Forwarding client credentials through Reverse Proxy

ClientCredentialsForwarding




Client credentials forwarding using

Sun Java System Web Proxy Server 4.0



Introduction:

Client information such as IP are generally not sent by a proxy to the remote server. However, there might be instances when it is required to send the client's information over to the remote server. ie, if the IP address of the client is required to be known to access the remote server.  Sun Java System Web Proxy Server 4.0 lets you configure the proxy to send the client's IP address, the client certificate details such as keysize, secret keysize, ciphers, SSL session id, issuer DN, User DN, SSL/TLS certificate.


Requirements:

1) Web server
2) Sun Java System Web Proxy Server 4.0.x
3) CA signed server certificate installed on SJSWPS 4.0.x
4) Client certificate from trusted CA installed on browser. Also, change preferences on browser so as not to go through any proxy.
5) tcp_forward.pl on same machine with webserver installed : Forwards tcp connection (to tap the request/response between proxy and webserver). Port used for forwarded connection will be called tcpforwardPort henceforth.
6) Perl : to execute tcp_forward.pl



Deployment scenarios:

(1)

                            |
                            |
  Webserver ------- | -------------------------------Client(Browser)
                            |
                            |
                    Reverse Proxy



(2)
                           |                              |
                           |                              |
Webserver -------- | ---------------------- |----------------Client(Browser)
                           |                              |
                           |                              |
                   tcp_forward.pl                   Reverse  Proxy       




Steps to configure Client Credentials Forwarding (Steps 1 to 4 to be followed from Administration UI of SJSWPS 4.0.x):  

1) Install CA signed server certificate on SJSWPS 4.0.x
      
   
    i) Manage Server tab -> Select Instance ->Security -> Create Database. Initialise database with valid password.
    ii) Request certificate -> Get generated certificate request signed by Certificate signing authority
    iii) Install certificate -> Copy base 64 encoded certificate with headers and add to server. Install certificate chain also.
    iv) Manage Certificates -> Set client trust.

2) Enabling Security & Client authentication on SJSWPS 4.0.x

    i) Manage Server tab -> Select Instance -> Preferences -> Edit Listen Sockets -> Select listen socket
    ii) Select 'enabled' option from drop down menu for Security
    iii) Edit listen socket again. Under Security, select option 'required' from drop down menu for Client authentication and save changes.

3) Setting up Reverse proxy on SJSWPS 4.0.x  (Deployment scenario 1)

    i) Manage Server tab -> Select Instance -> URLs -> Create Mapping
    ii) Create forward mapping:
             Mapping type: Regular
             Map source prefix:                https://proxyHost:proxyInstancePort
             Map destination :                  http://webserverHost: tcpforwardPort

             Mapping type: Regular
             Map source prefix:                /
             Map destination :                  http://webserverHost: tcpforwardPort

    iii) Create reverse mapping:
             Mapping type: Reverse
             Map source prefix:                http://webserverHost: tcpforwardPort
             Map destination :                  https://proxyHost:proxyInstancePort

4) Manage Server tab -> Select Instance -> Routing -> Forward Client Credentials
      
       i) Select resource for which configuration has to be set
       ii) Select options of credentials to be forwaded to remote server (here, the webserver)
       iii) Give valid HTTP headers for the same
       iv) Apply changes and restart instance

5) From terminal start script tcp_forward.pl as follows (Deployment scenario 2):

       perl tcp_forward.pl -f tcpfwdPort -t webserverHost:webserverPort -recv -send

       example: perl tcp_forward.pl -f 2323 -t sunws.india:8080 -recv -send
       The following message will be seen:
       Server started on port 2323

6) From the browser with client certificate installed:

      
https://proxyHost:proxyInstancePort/testPage.html

       example: https://sunproxy:9090/testPage.html

Whatever information regarding the client certificates on the client's browser is sent across to the origin server by the proxy server if client credentials forwarding is enabled. To verify  fowarding of credentials, see terminal  where  tcp_forward.pl  is  running.

Sample output:
 
Note:
S-> sent by proxy , R-> received from web server
(IP is masked on purpose.)

>>> perl tcp_forward.pl -f 2323 -t sunws.india:8080 -recv -send
Server started on port 2323
Incoming connection
Forwarding to sunws.india:8080
S [GET /myindex.html HTTP/1.1]
S [Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0]
S [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \*/\*]
S [Accept-Language: en-us]
S [Accept-Encoding: gzip, deflate]
S [User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)]
S [Host: sunws.india:2323]
S [Client-ip: \*\*\*.\*\*\*.\*\*\*.\*\*\*]
S [Proxy-cipher: RC4]
S [Proxy-keysize: 128]
S [Proxy-secret-keysize: 128]
S [Proxy-ssl-id: TPrrA9p11nI0ucQRE52k1aEfl5Uk7WASs8DTWoTfglg=]
S [Proxy-issuer-dn: E=devika@sun.com,CN=wps,OU=jws,O=sun,L=bng,ST=kar,C=in]
S [Proxy-user-dn: E=devika@sun.com,CN=wps,OU=jws]
S [Proxy-auth-cert: MIIDBTCCAq+gAwIBAgIBBTANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJpbjEMMAoGA1UECBMDa2FyMQwwCgYDVQQ
HEwNibmcxDDAKBgNVBAoTA3N1bjEMMAoGA1UECxMDandzMREwDwYDVQQDEwhuYWdlbmRyYTEjMCEGCSqGSIb3DQEJAR
YUbmFnZW5lZHJhLmprQHN1bi5jb20wHhcNMDQxMjE3MDYxNjUwWhcNMDUxMjE3MDYxNjUwWjBKMRAwDgYDVQQLEwdXZ
WJUaWVyMQ8wDQYDVQQDEwZzYW5qYXkxJTAjBgkqhkiG9w0BCQEWFnNhbmpheS5peWVuZ2FyQHN1bi5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMeuinauMVc9hE+FWHxtBKxqV4Mpo59OV0F8DZeAbgNMNoX6JtJRCy+4s22mldW
2UDCpr14Ap8pkYo5TcFynh81K2TtsCuqitY1fOCUoVJObUgTOPoOLi5VJqKoUw5CT6s+TShQly6s3BRamr9eDbGrHpa
u4MeTF8cqHgJZM5e7fAgMBAAGjggEHMIIBAzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyY
XRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUY16JdeH4PIpiVx46hg/4V0I8iQcwgagGA1UdIwSBoDCBnYAUqi21noO6
8mbTlhgmKWDm/8Wqk/qhgYGkfzB9MQswCQYDVQQGEwJpbjEMMAoGA1UECBMDa2FyMQwwCgYDVQQHEwNibmcxDDAKBgN
VBAoTA3N1bjEMMAoGA1UECxMDandzMREwDwYDVQQDEwhuYWdlbmRyYTEjMCEGCSqGSIb3DQEJARYUbmFnZW5lZHJhLm
prQHN1bi5jb22CAQAwDQYJKoZIhvcNAQEEBQADQQA1Sr2+NUmG/GRyf7lpvWJ5r6gRNWqXPGeM2maox1Ce/e6lXSiEj
VBjxawieYnJudCHPG4fo5b7yNUc+NX5RFJG]
S [Via: 1.1 proxy-server1]
S [Connection: keep-alive]
R [HTTP/1.1 200 OK]
R [Server: Sun-ONE-Web-Server/6.1]
R [Date: Thu, 28 Jul 2005 17:56:19 GMT]
R [Content-length: 1097]
R [Content-type: text/html]
R [Last-modified: Tue, 05 Jul 2005 22:24:02 GMT]
R [Etag: "449-42cb0882"]
R [Accept-ranges: bytes]
R [<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">]
R [<html>]
R [<head>]
R [  <meta http-equiv="content-type"]
R [ content="text/html; charset=ISO-8859-1">]
R [  <title>myindex</title>]
R [  <meta name="author" content="Devika Gopinathan">]
R [</head>]
R [<body>]
R [<br>]
R [<h2 style="text-align: center;">Test Page</h2>]
R [<br>]
R [<h2>Sun Java System Web Proxy Server 4.0</h2>]
R [<br>]
R [<font color="#ffffff"></font>]
R [<table cellpadding="2" cellspacing="2" border="1"]
R [ style="text-align: left; width: 70%;">]
R [  <tbody>]
R [    <tr>]
R [      <td style="vertical-align: top;">Ownership<br>]
R [      </td>]
R [      <td style="vertical-align: top;">Sun Java System Web Proxy Server]
R [QA</td>]
R [    </tr>]
R [    <tr>]
R [      <td style="vertical-align: top;">Date of Creation (mm/dd/yyyy)<br>]
R [      </td>]
R [      <td style="vertical-align: top;">01/07/2005<br>]
R [      </td>]
R [    </tr>]
R [    <tr>]
R [      <td style="vertical-align: top;">Page Created By<br>]
R [      </td>]
R [      <td style="vertical-align: top;">Devika Gopinathan</td>]
R [    </tr>]
R [  </tbody>]
R [</table>]
R [<h2><font color="#ffffff"><br>]
R [</font></h2>]
R [<br>]
R [<!--#include virtual="trial.shtml" -->]
R [</body>]
R [</html>]
Closed connection






 
 

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

dee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today