{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 在下西门庆 的问题《Configure Apache Client Certificate Authentication》','https://www.manongdao.com/q-1025447.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below
<VirtualHost *:zzzz>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCACertificateFile /path/to/ca.crt
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Proxy balancer://api_server>
BalancerMember https://xx.xx.xx.xx:yyyy
BalancerMember https://xx.xx.xx.xx:yyyy
</Proxy>
ProxyPass / balancer://api_server/
</VirtualHost>
The problem is that when a client request apache, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.
Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.
Transforming the comment into an answer since it solved the OP's question.
The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.
Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache
Try switching to AJP instead of HTTP proxy, as explained in the Apache doc : https://httpd.apache.org/docs/2.4/en/mod/mod_proxy_ajp.html
If I understand well what you're saying, you need the client certificate to be forwarded, which is a feature of AJP :