How to configure reverse proxy service using VIP and use 3rd party signed server certificate in reverse proxy service, with verify client option enabled
Article ID: 168146
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Resolution
OCS IP = 2.2.2.2
Reverse proxy VIP = 1.1.1.1
3rd Party SSL tool : OpenSSL ( Detail of How to generate CA certificate and sign server certificate / sign client certificate using OpenSSL is out of scope of this article)
root CA cert : Root.crt ( generated by OpenSSL)
Root CA key : Root.key ( generated by OpenSSL)
Client Cert : Client.pfx ( Generated and converted by OpenSSL)
Step 1 : Configure VIP , go to conifguration >>> Network >>> advance >>> VIP , configure an IP address same range as proxy user-facing interface. For example, 1.1.1.1
Step 2: Configure forwarding host, go to configuration >>>Forwarding >>> Forwarding host >>> new
Host : 2.2.2.2
Type : Server
Port : http / https
step 3 : Create key Ring , Go to Configuration >>> SSL >>> key rings , Click create , type in the key ring name "Testkey", and generate key 2048 bits.
Step 4 : Generate CSR , Edit the keyring, click create CSR, then click ok, then edit the keyring again, then copy the words in the "certificate signing request" to a text file, save it as server.txt
Step 5: Sign the the server CSR using OpenSSL : openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in server.txt -out server.crt -extfile openssl.txt
Step 6 : Double click server.crt, copy all the PEM words. Then go back to the keyring page, edit "Testkey", then paste into the "certificate"
Step 7 : Import root.crt to CA list, go to Configuration >>> SSL >>> CA certificates, click import. Then paste the PEM words from Root.crt.
Step 8 : Create new CCL , Go to Configuration >>> SSL >>> CA certificate list, create new, then make sure Root.crt is one of this group.
Step 9 : Create new https proxy service, go to configuration >>> Services >>> proxy services , click create new service
i) Name : Test reverse proxy
ii) Proxy : HTTPS reverse proxy
iii) Keyring : Testkey
iv) CCL : The one newly created in step 8
v) source : all
vi) Destination : 1.1.1.1/32
vii) Port : http/https
viii) Enable verify client
Step 10 : Basic required CPL
<proxy>
url.host.exact="1.1.1.1" url.port=443 allow
<Forward>
server_url.address=1.1.1.1 forward("2.2.2.2") forward.fail_open(no)
Step 11 : Generate client cert, and sign it with the same Root.key, convert it to pfx format
openssl pkcs12 -export -out client.pfx -in client.crt -inkey client.key
Step 12 : Import client.pfx to Browser's "personal" store.
Step 13 : <optional> , import root.crt into browser's "trusted authorities store"
Without step 11 and 12, you will not see neither web page loaded nor ssl error prompted.
Reverse proxy VIP = 1.1.1.1
3rd Party SSL tool : OpenSSL ( Detail of How to generate CA certificate and sign server certificate / sign client certificate using OpenSSL is out of scope of this article)
root CA cert : Root.crt ( generated by OpenSSL)
Root CA key : Root.key ( generated by OpenSSL)
Client Cert : Client.pfx ( Generated and converted by OpenSSL)
Step 1 : Configure VIP , go to conifguration >>> Network >>> advance >>> VIP , configure an IP address same range as proxy user-facing interface. For example, 1.1.1.1
Step 2: Configure forwarding host, go to configuration >>>Forwarding >>> Forwarding host >>> new
Host : 2.2.2.2
Type : Server
Port : http / https
step 3 : Create key Ring , Go to Configuration >>> SSL >>> key rings , Click create , type in the key ring name "Testkey", and generate key 2048 bits.
Step 4 : Generate CSR , Edit the keyring, click create CSR, then click ok, then edit the keyring again, then copy the words in the "certificate signing request" to a text file, save it as server.txt
Step 5: Sign the the server CSR using OpenSSL : openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in server.txt -out server.crt -extfile openssl.txt
Step 6 : Double click server.crt, copy all the PEM words. Then go back to the keyring page, edit "Testkey", then paste into the "certificate"
Step 7 : Import root.crt to CA list, go to Configuration >>> SSL >>> CA certificates, click import. Then paste the PEM words from Root.crt.
Step 8 : Create new CCL , Go to Configuration >>> SSL >>> CA certificate list, create new, then make sure Root.crt is one of this group.
Step 9 : Create new https proxy service, go to configuration >>> Services >>> proxy services , click create new service
i) Name : Test reverse proxy
ii) Proxy : HTTPS reverse proxy
iii) Keyring : Testkey
iv) CCL : The one newly created in step 8
v) source : all
vi) Destination : 1.1.1.1/32
vii) Port : http/https
viii) Enable verify client
Step 10 : Basic required CPL
<proxy>
url.host.exact="1.1.1.1" url.port=443 allow
<Forward>
server_url.address=1.1.1.1 forward("2.2.2.2") forward.fail_open(no)
Step 11 : Generate client cert, and sign it with the same Root.key, convert it to pfx format
openssl pkcs12 -export -out client.pfx -in client.crt -inkey client.key
Step 12 : Import client.pfx to Browser's "personal" store.
Step 13 : <optional> , import root.crt into browser's "trusted authorities store"
Without step 11 and 12, you will not see neither web page loaded nor ssl error prompted.
Feedback
Yes
No
Powered by
