How to configure reverse proxy service using VIP and use 3rd party signed server certificate in reverse proxy service, with verify client option enabled

Article Id: 168146
Status: Published
Updated On: 13-05-2017 11:26
Legacy Id: TECH244696
Products:
ProxySG Software - SGOS
Issue/Introduction:

Resolution:

OCS IP = 2.2.2.2
Reverse proxy VIP = 1.1.1.1
3rd Party SSL tool : OpenSSL ( Detail of How to generate CA certificate and sign server certificate / sign client certificate using OpenSSL is out of scope of this article)
root CA cert : Root.crt ( generated by OpenSSL)
Root CA key : Root.key ( generated by OpenSSL)
Client Cert : Client.pfx ( Generated and converted by OpenSSL)


Step 1 :  Configure VIP , go to conifguration >>> Network >>> advance >>> VIP  , configure an IP address same range as proxy user-facing interface. For example, 1.1.1.1

Step 2:  Configure forwarding host, go to configuration >>>Forwarding >>> Forwarding host >>> new

             Host : 2.2.2.2
             Type : Server
             Port  : http / https

step 3 : Create key Ring  , Go to Configuration >>> SSL >>> key rings , Click create , type in the key ring name "Testkey", and generate key 2048 bits.

Step 4 : Generate CSR , Edit the keyring, click create CSR, then click ok, then edit the keyring again, then copy the words in the "certificate signing request" to a text file, save it as server.txt

Step 5: Sign the the server CSR using OpenSSL :  openssl x509 -req -days 365 -CA root.crt -CAkey root.key -CAcreateserial -in server.txt -out server.crt -extfile openssl.txt

Step 6 : Double click server.crt, copy all the PEM words. Then go back to the keyring page, edit "Testkey", then paste into the "certificate"

Step 7 : Import root.crt to CA list, go to Configuration >>> SSL >>> CA certificates, click import. Then paste the PEM words from Root.crt.

Step 8 : Create new CCL , Go to Configuration >>> SSL >>> CA certificate list, create new, then make sure Root.crt is one of this group.

Step 9 : Create new https proxy service, go to configuration >>> Services >>> proxy services , click create new service
             i) Name : Test reverse proxy
             ii) Proxy : HTTPS reverse proxy
             iii) Keyring : Testkey
             iv) CCL : The one newly created in step 8
             v) source : all
             vi) Destination : 1.1.1.1/32
             vii) Port : http/https
             viii) Enable verify client
    

Step 10 : Basic required CPL

<proxy>
url.host.exact="1.1.1.1"       url.port=443 allow
 
<Forward>
server_url.address=1.1.1.1 forward("2.2.2.2") forward.fail_open(no)

Step 11 : Generate client cert, and sign it with the same Root.key, convert it to pfx format 

                openssl pkcs12 -export -out client.pfx -in client.crt -inkey client.key

Step 12 : Import client.pfx to Browser's "personal" store.

Step 13 : <optional> , import root.crt into browser's "trusted authorities store"

 
Without step 11 and 12, you will not see neither web page loaded nor ssl error prompted.