HOWTO: Reverse Proxy using Apache with SSL and RSA SecurID®Authentication

 

By: Chris Sawall                         csawall@hotmail.com

Created: 20 May 2002

Last Updated: 19 April 2003


HOWTO: Reverse Proxy using Apache with SSL and RSA SecurID ® Authentication

Version 1.6

Overview

This document is free to distribute as long as it is left in it’s entirety.   If changes or corrections must be made, or if you have ideas to enhance the install or security, please let me know so that I can keep this document as up to date as possible.  It is important so that others are kept informed of changes as well.  Changes/additions/comments can be sent to csawall@hotmail.com.

 

This is a ‘living document’, an up to date document can be found at http://tech.stlsawall.com/docs/rproxy.htm.

 

This document will describe how to install and setup a Reverse Proxy server using Apache.  It will also detail how to include the use of SSL and RSA SecurID® Authentication.  The server only has one (1) network card installed.

 

Note:  These instructions were written with only the above listed applications in mind, it may not work exactly the same with different versions.  Do NOT install any of the applications (Apache, OpenSSL) that come with the OS as they may be different versions as well as not being compiled correctly for this setup.

 

If you place this server on a secure DMZ, you will need to allow HTTPS (TCP 443) through your firewall to the reverse proxy.  In addition, for the reverse proxy to work, you will need to allow HTTP (TCP 80) from your reverse proxy to the final destination.

 

Table of Contents

Overview

Table of Contents

Applications and OS’s

Install Mandrake

Download applications

Installing Apache

Creating your Own Self-signed Certificate

Setting up the Reverse Proxy to a single device

Setting up the Reverse Proxy to multiple servers

Adding RSA SecurID® Authentication to your Reverse Proxy

UPDATES

Disclaimer

 


Applications and OS’s

Operating system used for purposes of this documentation:

Mandrake 8.1 (http://www.mandrake.com)

 

Operating systems tested:

Mandrake 8.2 (http://www.mandrake.com)

·         Works with no changes to instructions

·         Tested by Chris Sawall (csawall@hotmail.com) on 5/22/02

Solaris 8 (http://www.sun.com)

·         Note additional software may be needed

·         Specific instructions added to install without having to install OpenSSL

·         Test by Chris Sawall (csawall@hotmail.com) on 6/30/02

RedHat 7.3 (http://www.redhat.com)

·         OpenSSL is still installed by default, however, the openssl.cnf file is located in /usr/share/ssl.  This is different than what is listed using Mandrake (/usr/lib/ssl) under the “Creating your Own Self-signed Certificate” section of this document.

·         Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02

RedHat 8.0 (http://www.redhat.com)

·         Tested by Chris Sawall (csawall@hotmail.com) on 2/28/03

 

Applications used for purposes of this documentation:

Apache 1.3.24 (http://www.apache.org)

mod_ssl 2.8.8-1.3.24 (http://www.modssl.org)

OpenSSL 0.9.6b (http://www.openssl.org)

RSA™ WebAgent 5.0 for Apache (http://www.rsasecurity.com)

 

Applications tested:

OpenSSL 0.9.6c (http://www.openssl.org)

·         Works with no changes to instructions

·         Tested by Chris Sawall (csawall@hotmail.com) on 5/22/02

OpenSSL 0.9.6d (http://www.openssl.org)

·         Test by Chris Sawall (csawall@hotmail.com) on 6/30/02

Apache 1.3.26 (http://www.apache.org)

·         Note that mod_ssl 2.8.9-1.3.26 must be used in conjunction with Apache 1.3.26.  mod_ssl 2.8.8_1.3.24 will NOT work with Apache 1.3.26.

·         All other instructions are the same as mentioned throughout this document.

·         Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02

Apache 1.3.27

·         Works with no changes to instructions

·         Note that mod_ssl 2.8.12-1.3.27 must be used with Apache 1.3.27

·         Tested by Chris Sawall (csawall@hotmail.com) on 2/28/03

Mod_SSL 2.8.9-1.3.26 (http://www.modssl.org)

·         Works with no changes to instructions

·         Tested by Chris Sawall (csawall@hotmail.com) on 6/20/02

Mod_SSL 2.8.12-1.3.27

·         Works with no changes to instructions

·         Tested by Chris Sawall (csawall@hotmail.com) on 4/19/03

RSA WebAgent 5.1

·         Works with Apache versions greater than 1.3.26, but code must be modified.  See directions within my SANS documentation for changes. http://www.giac.org/practical/GSEC/Chris_Sawall_GSEC.pdf

·         Tested by Chris Sawall (csawall@hotmail.com) on 4/19/03

Install Mandrake

 

I will assume that you can install the OS to a minimal, secure configuration.  Since this box will be accessible by users on the Internet, you want to minimize the chance of any running exploits against your box.  Do not install any unnecessary applications or services.  Do not install any X applications such as KDE or Gnome. 

 

You will need to leave the Portmap service running if you are going to use RSA SecurID® to authenticate inbound users from the Internet.

 

Download applications

 

Create a common directory and download all of the necessary applications.

 

mkdir /home/download

 

Apache 1.3.24 http://www.apache.org/dist/httpd/apache_1.3.24.tar.gz

mod_ssl 2.8.8 http://www.modssl.org/source/mod_ssl-2.8.8-1.3.24.tar.gz

OpenSSL 0.9.6b http://www.openssl.org/source/openssl-0.9.6b.tar.gz

RSA™ WebAgent 5.0 http://www.rsasecurity.com/go/apacheagent/index.html

 

For Solaris, you will probably need to get a compiler and a compression program.  I downloaded and installed:

 

GCC 2.95.3 http://www.sunfreeware.com/

GZIP 1.3.3 http://www.sunfreeware.com/

 

Unzip and Untar applications

 

cd /home/download

gzip -d apache_1.3.24.tar.gz

gzip -d mod_ssl-2.8.8-1.3.24.tar.gz

gzip -d openssl-0.9.6b.tar.gz

tar xvf apache_1.3.24.tar

tar xvf mod_ssl-2.8.8-1.3.24.tar

tar xvf openssl-0.9.6b.tar

mkdir rsaweb

mv WebAgent.tar ./rsaweb/

cd rsaweb

tar xvf WebAgent.tar

cd /home/download

 

Additionally, for Solaris

 

unzip gzip-1.3.3-solaris8.Z

pkgadd -d gzip-1.3.3-solaris8

gzip -d gcc-2.95.3-sol8-sparc-local.qz

pkgadd -d gcc-2.95.3-sol8-sparc-local

 

Add PATH to /.profile

PATH=$PATH:/usr/local/bin:/usr/ccs/bin/:home/download/openssl-0.9.6b/apps

export PATH

re log-in

 

Installing Apache

Configure OpenSSL

 

cd /home/download/openssl-0.9.6b

./config

make

 

Configure mod_ssl

 

cd /home/download/mod_ssl-2.8.8-1.3.24

./configure --with-apache=../apache_1.3.24 \

         --with-ssl=../openssl-0.9.6b \

         --prefix=/usr/local/apache

 

Configure Apache

 

cd /home/download/apache_1.3.24

SSL_BASE=/home/download/openssl_0.9.6b ./configure \

--with-layout=Apache --prefix=/usr/local/apache \

--enable-module=ssl --enable-module=so \

--enable-module=proxy

make

make certificate

 

Follow the onscreen instructions on creating a test certificate.   Hints:

·         Choose RSA as the type.

·         Spell out the STATE, for example, enter Missouri not MO

·         Spell out the CITY, for example, enter Saint Louis not St. Louis

·         Common name means some similar to www.yourserver.com

·         Certificate length defaults to 365 days (1 year), you can enter whatever length you choose.  For example, 7300 days is 20 years.

·         Encrypt the key when asked.

·         Set your pass phrase and do not forget it.

 

make install

 

Test your Apache install

 

/usr/local/apache/bin/apachectl startssl

 

You will have to enter your pass phrase when starting Apache.  This is a security mechanism to ensure that the appropriate party is starting the SSL web server.  We will remove this feature further down in the document under Creating your Own Self-signed Certificate.

 

You should be able to browse to https://www.yourserver.com/ with any Internet browser.  You will be prompted to accept the certificate.  This prompt also warns that the certificate was issued by a non-trusted third party.  For testing purposes, this is fine.  The web server should return the SSL/TLS test web page.

 

Setting up the Reverse Proxy to a single device

In order to configure Apache as a Reverse Proxy, you will have to edit the httpd.conf file.  Be sure to create a backup of the file before editing.

cd /usr/local/apache/conf

cp httpd.conf httpd.orig

vi httpd.conf

 

Go to the “SSL Global Context” portion of the httpd.conf file, it should be after the virtual host setup.  Within “SSL Global Context”, go to “SSL Virtual Host Context”, it should look similar to the following:

##

## SSL Virtual Host Context

##

 

<VirtualHost _default_:443>

 

#  General setup for the virtual host

DocumentRoot "/usr/local/apache/htdocs"

ServerName yourserver.yourdomain.com

ServerAdmin root@yourserver.yourdomain.com

ErrorLog /usr/local/apache/logs/error_log

TransferLog /usr/local/apache/logs/access_log

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt

#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/yourserver.key

#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key

 

#   Server Certificate Chain:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

#   SSL Protocol Adjustments:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog /usr/local/apache/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>

 

You will need to add the following lines in this area.  It should look something like the following:

 

##

## SSL Virtual Host Context

##

 

<VirtualHost _default_:443>

 

#  General setup for the virtual host

DocumentRoot "/usr/local/apache/htdocs"

ServerName yourserver.yourdomain.com

ServerAdmin root@yourserver.yourdomain.com

ErrorLog /usr/local/apache/logs/error_log

TransferLog /usr/local/apache/logs/access_log

 

ProxyPass / http://192.168.200.200/

ProxyPassReverse / http://192.168.200.200/

# This should be the address of the backend server that the Reverse Proxy

# will be sending traffic to.

# For more information about Reverse Proxying with Apache, please review the

# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

</VirtualHost>

 

 

Save and quit from editing the httpd.conf file.

 

Restart your Apache server and then test out the reverse proxy.

 

/usr/local/apache/bin/apachectl stop

/usr/local/apache/bin/apachectl startssl

 

Remember that you will have to enter your pass phrase to start the SSL web server.

 

You should be able to browse to https://www.yourserver.com/ with any Internet browser.  Only now, instead of getting the SSL/TLS test page, you should get the web page from your backend server.  Your address bar should still read https://www.yourserver.com/, yet display the contents from the backend server.

 

Setting up the Reverse Proxy to multiple servers

In order to configure Apache as a Reverse Proxy, you will have to edit the httpd.conf file.  Be sure to create a backup of the file before editing.

cd /usr/local/apache/conf

cp httpd.conf httpd.orig

vi httpd.conf

 

Go to the “SSL Global Context” portion of the httpd.conf file, it should be after the virtual host setup.  It should look similar to the following:

 

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

 

#

#   Some MIME-types for downloading Certificates and CRLs

#

<IfDefine SSL>

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

</IfDefine>

 

<IfModule mod_ssl.c>

 

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

 

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache        none

#SSLSessionCache        shmht:/usr/local/apache/logs/ssl_scache(512000)

#SSLSessionCache        shmcb:/usr/local/apache/logs/ssl_scache(512000)

SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache

SSLSessionCacheTimeout  300

 

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

SSLMutex  file:/usr/local/apache/logs/ssl_mutex

 

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

#   WARNING! On some platforms /dev/random blocks if not enough entropy

#   is available. This means you then cannot use the /dev/random device

#   because it would lead to very long connection times (as long as

#   it requires to make more entropy available). But usually those

#   platforms additionally provide a /dev/urandom device which doesn't

#   block. So, if available, use this one instead. Read the mod_ssl User

#   Manual for more details.

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

 

#   Logging:

#   The home of the dedicated SSL protocol logfile. Errors are

#   additionally duplicated in the general error log file.  Put

#   this somewhere where it cannot be used for symlink attacks on

#   a real server (i.e. somewhere where only root can write).

#   Log levels are (ascending order: higher ones include lower ones):

#   none, error, warn, info, trace, debug.

SSLLog      /usr/local/apache/logs/ssl_engine_log

SSLLogLevel info

 

</IfModule>

 

<IfDefine SSL>

##

## SSL Virtual Host Context

##

 

<VirtualHost _default_:443>

 

#  General setup for the virtual host

DocumentRoot "/usr/local/apache/htdocs"

ServerName yourserver.yourdomain.com

ServerAdmin root@yourserver.yourdomain.com

ErrorLog /usr/local/apache/logs/error_log

TransferLog /usr/local/apache/logs/access_log

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt

#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key

 

#   Server Certificate Chain:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

#   SSL Protocol Adjustments:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog /usr/local/apache/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>

 

 

 

You will want to make the following modifications/additions to the configuration:

 

 

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

 

<--- SKIPPING SEVERAL LINES --->

 

 

</IfModule>

 

<IfDefine SSL>

 

##

## SSL Virtual Host Context

##

NameVirtualHost w.x.y.z:443

 

#Where w.x.y.z is the IP address of the Apache server

 

# The following is a new virtual host added above the default virtual host.

# You will need to ensure that you have all of the correct information from the

# original virtual host.  (The virtual host listed below this new virtual host)

# You will then need to modify the default virtual host,

# removing the _default_ and putting in an IP-based virtual host.

# For more information on using virtual hosts in Apache, see

http://httpd.apache.org/docs/vhosts/index.html

 

<VirtualHost w.x.y.z:443>

ServerName newname.yourdomain.com

DocumentRoot "/usr/local/apache/htdocs"

ErrorLog /usr/local/apache/logs/error_log

TransferLog /usr/local/apache/logs/access_log

 

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache/conf/ssl.crt/yourserver.crt

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/yourserver.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

CustomLog /usr/local/apache/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

ProxyPass       /       http://192.168.200.100/

ProxyPassReverse        /       http://192.168.200.100/

 

# This should be the address of the new backend server that the Reverse Proxy

# will be sending traffic to.

# For more information about Reverse Proxying with Apache, please review the

# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html

 

</VirtualHost>

 

 

#<VirtualHost _default_:443>

<VirtualHost w.x.y.z:443>

 

#  General setup for the virtual host

DocumentRoot "/usr/local/apache/htdocs"

ServerName yourserver.yourdomain.com

ServerAdmin root@yourserver.yourdomain.com

ErrorLog /usr/local/apache/logs/error_log

TransferLog /usr/local/apache/logs/access_log

 

ProxyPass / http://192.168.200.200/

ProxyPassReverse / http://192.168.200.200/

# This should be the address of the backend server that the Reverse Proxy

# will be sending traffic to.

# For more information about Reverse Proxying with Apache, please review the

# mod_proxy document at http://httpd.apache.org/docs/mod/mod_proxy.html

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt

#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key

 

#   Server Certificate Chain:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

#   SSL Protocol Adjustments:

 

<--- SKIPPING SEVERAL COMMENTED LINES --->

 

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog /usr/local/apache/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>

 

 

Save and quit from editing the httpd.conf file.

 

Restart your Apache server and then test out the reverse proxy.

 

/usr/local/apache/bin/apachectl stop

/usr/local/apache/bin/apachectl startssl

 

Remember that you will have to enter your pass phrase to start the SSL web server.

 

You should be able to browse to https://www.yourserver.com/ or to your new virtual server https://www.yournewserver.com/ with any Internet browser.  Only now, instead of getting the SSL/TLS test page, you should get the web page from your corresponding backend server.  Your address bar should still read https://www.yourserver.com/, yet display the contents from the backend server.

 

 

Creating your Own Self-signed Certificate

OpenSSL should be installed.  Running the config as we did earlier only configured the software for use with the mod_ssl config.  This documentation assumes that you are using OpenSSL 0.9.6b.

 

Mandrake 8.1 and 8.2 as well as RedHat 7.3 install OpenSSL by default.  Running the following command should result in the displaying of the current version of OpenSSL.

 

openssl version

 

cd /usr/local/apache/conf

ls

 

You should see several folders:  ssl.crl, ssl.crt, ssl.csr, ssl.key and ssl.prm.  These are the folders where are SSL certificate information is stored.  The following information can be found at http://www.apache-ssl.org/#FAQ.

 

Creating a new SSL request

 

openssl req -config /usr/lib/ssl/openssl.cnf -new \

-out yourserver.csr

 

For a Solaris install, the following command may be run without having to install OpenSSL

 

openssl req -config \

/opt/download/openssl-0.9.6b/apps/openssl.cnf -new \

-out yourserver.csr -rand \

/opt/download/openssl-0.9.6b/ms/.rnd

 

 

Note that the openssl.cnf file may be in a different location on your server.  Follow the onscreen instructions on creating a new certificate.  Do not forget the passphrase that you create and remember to use the full spelling for both the State and City.

 

openssl rsa -in privkey.pem -out yourserver.key

 

This removes the passphrase from the private key.  You should take care in doing this and understand all of the risks involved.  The key should only be readable by Apache and the system administrator.

 

Enter your passphrase from the previous step when asked.

 

openssl x509 -in yourserver.csr -out yourserver.crt -req  \

-signkey yourserver.key -days 7300

 

This should create your certificate.  It should come back and say that the signature is OK.

 

Move each new file to it’s respective folder:

 

mv /usr/local/apache/conf/yourserver.csr \ /usr/local/apache/conf/ssl.csr/yourserver.csr

 

mv /usr/local/apache/conf/yourserver.crt \ /usr/local/apache/conf/ssl.crt/yourserver.crt

 

chmod 400 /usr/local/apache/conf/yourserver.key

 

mv /usr/local/apache/conf/yourserver.key \ /usr/local/apache/conf/ssl.key/yourserver.key

 

rm -f /usr/local/apache/conf/privkey.pem

 

Edit the httpd.conf file to reflect the new certifcate and key.  Remember to back up the httpd.conf, just in case.

 

Search the httpd.conf file for server.key and server.crt, replacing both with yourserver.key and yourserver.crt, respectively. 

 

Restart Apache with SSL.

 

/usr/local/apache/bin/apachectl stop

/usr/local/apache/bin/apachectl startssl

 

Note that the server does not ask you to enter a passphrase to start the SSL web server.

 

 

Adding RSA SecurID® Authentication to your Reverse Proxy

This section assumes that you already have an RSA ACE/Server® in your environment.  If the reverse proxy is placed outside the firewall or on a secured DMZ (preferred), you will need to allow access from the reverse proxy to your RSA ACE/Server® on UDP 5500.

 

KEY POINTS:

·         The reverse proxy server must also be resolvable by DNS.  The RSA™ web agent issues cookies to the client, which are based on a domain suffix.  So your reverse proxy server must resolve to something like yourserver.yourdomain.com.

·         The /etc/hosts file must have the proper address listed for your server.  If it has any other IP address, such as 127.0.0.1 listed, RSA™ web agent will NOT work.

·         It is important to note that the current version of the RSA™ web agent (version 5.0) only works with Apache 1.3.22 through 1.3.26.

 

Add the Reverse Proxy as an Agent Host to the RSA ACE/Server®.

·         It will need to be defined as a Unix Server

 

Copy the sdconf.rec file from the RSA ACE/Server® to a floppy.

 

Copy the sdconf.rec file the floppy to the Reverse Proxy

 

mkdir /floppy

mount -t auto /dev/fd0 /floppy

mkdir /var/ace

chmod 774 /var/ace

cp /floppy/sdconf.rec /var/ace.

chmod 644 /var/ace/sdconf.rec

 

You will need to change permissions on certain files and directories in order for the RSA ACE/Server® to communicate properly with the Reverse Proxy.

 

You will need to stop Apache before continuing on with the installation of the web agent.

 

/usr/local/apache/bin/apachectl stop

cd /home/download/rsaweb

./install

 

During the install, you will need to:

·         Agree to the EULA (after reading it, naturally)

·         Accept the conditions  (type Accept)

·         Accept the default directory location of sdconf.rec ([/var/ace])

·         Accept the default path to the Apache install ([/usr/local/apache])

·         Accept the default path to the httpd.conf file (/usr/local/apache/conf/httpd.conf])

·         Accept the default path to the httpd binary (/usr/local/apache/bin/httpd])

 

All files for the RSA™ web agent will install into /usr/local/apache/rsawebagent.

 

Setup will begin immediately, follow the onscreen instructions,  all of the default parameters are acceptable, I would suggest the following:

·         On the first setup screen, I change “Expiration time for idle cookie in minutes” from 15 to 45.  I do this to help the end user and increase the time.  This is especially useful when setting up a reverse proxy to work with Microsoft Outlook Web Access (OWA).

·         On the second setup screen, I change “Use separate Page for username and PASSCODE” from enable to disable. 

 

Note:  RSA™ recommends using separate pages.  This is discussed in the documentation that comes with the web agent install.  I feel that since I’m using SSL to encrypt the tunnel between the end user and the reverse proxy, I don’t need the extra security of using separate pages for username and PASSCODE.  If you are not using SSL with your Reverse Proxy, I would suggest following RSA’s recommendation of using separate pages.

 

Test Authentication

 

You will need to test the authentication to verify that the Reverse Proxy is communicating properly with the RSA ACE/Server®.

 

cd /usr/local/apache/rsawebagent

./acetest

 

You should get the following:

·         Enter USERNAME: {enter your RSA SecurID® username}

·         Enter PASSCODE: {enter your PIN and TOKENCODE}

·         If successful, it should return “PASSCODE accepted”

 

Doing this test will create two files, “securid” and a “sdstatus.{x}”, in the /var/ace directory.  The “securid” file is the node verification file.  By default, it does not have the correct permissions for subsequent authentication tests.  You must change the permissions on this file.

 

chmod 440 /var/ace/securid

 

Run a test authentication again to verify that it still works.

 

./acetest

 

If the test is successful and there are no node verification failures on the RSA ACE/Server®, you will now need to test to see if authentication works on Apache.

 

/usr/local/apache/bin/apachectl startssl

 

Remember that you will have to enter your pass phrase to start the SSL web server.

 

You may get the following error when starting the web server, after installing the RSA™ web agent:

 

“[DATE] [warn] module mod_rsawebagent.c is already added, skipping”

 

Everything is fine and will work properly.  To get rid of this error, you must edit the RSA™ web agent configuration file.

 

vi /usr/local/apache/rsawebagent/rsawebagent.conf

 

The following is the default configuration:

 

#

# RSA Web Agent configuration information

# This file is included by the current httpd.conf file

#

# Load and add the web agent module in the configuration

LoadModule rsawebagent_module /usr/local/apache/rsawebagent/mod_rsawebagent.so

AddModule mod_rsawebagent.c

#

# RSA Web Agent installation directory

#

<IfModule mod_rsawebagent.c>

RSAWebAgentInstallPath /usr/local/apache/rsawebagent

VAR_ACEPath /var/ace

</IfModule>

 

 

Make the following change by commenting out the appropriate line:

 

#

# RSA Web Agent configuration information

# This file is included by the current httpd.conf file

#

# Load and add the web agent module in the configuration

LoadModule rsawebagent_module /usr/local/apache/rsawebagent/mod_rsawebagent.so

#AddModule mod_rsawebagent.c

#

# RSA Web Agent installation directory

#

<IfModule mod_rsawebagent.c>

RSAWebAgentInstallPath /usr/local/apache/rsawebagent

VAR_ACEPath /var/ace

</IfModule>

 

Restart Apache and everything should be fine.

 

/usr/local/apache/bin/apachectl stop

/usr/local/apache/bin/apachectl startssl

 

Remember that you will have to enter your pass phrase to start the SSL web server.

 

Browse to https://www.yourserver.com/ with an Internet browser.  You will be prompted to accept the certificate, do so.  When the web site is displayed, it should show a new web page for the RSA SecurID® authentication. 

 

Enter your username and PASSCODE in the appropriate fields and click submit.  It should come back and say that authentication was successful and then present the content from your backend server.

 

 

UPDATES

05/22/02

·         Added tests for Mandrake 8.1 and OpenSSL 0.9.6c

 

O5/22/02

·         Added links for up to date documentation.

 

05/29/02

·         Changed info for adding ProxyPass and ProxyPassReverse directives

·         Added info on setting up a Reverse Proxy to multiple servers

·         Added RSA trademark information

 

06/20/02

·         Added tests for RedHat 7.3, Apache 1.3.26 and mod_ssl 2.8.9_1.3.26

·         Add KEY POINTS under the RSA install section

 

12/03/02

·         Added tests for Solaris 8, OpenSSL 0.9.6d

·         Added a few specific instructions for Solaris install

 

 

 

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an “as is” condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

 

 

 

 

 

 

Product Name

Trademark Information

RSA™

When referring to other RSA products, such as the web agent, RSA is a trademark of RSA Security, Inc.

RSA SecurIDÒ

SecurID is a registered trademark and RSA is a trademark of RSA Security Inc.

 

RSA ACE/ServerÒ

ACE/Server is a registered trademark and RSA is a trademark of RSA Security Inc.