Recently I came across a problem of forwarding a certificate Id to backend service for the authentication purposes. I also do not want to handle SSL at services. <\/p>\n
Let’s say I have a server setup as follows: There is an Angular website on port 4200 and REST\/Websocket services on port 3000. REST services are accessible over endpoint To extract a field from a client certificate (e.g. CN in my case) and forward request to a backend REST server with an additional header field is not a problem. I just extract property The problem comes, when you would like to do the same for the Websocket connections – you cannot set header for these type of connections. But you can do a workaround (the point of this post): Tell clients to connect to the endpoint \/kumuluz<\/code> and Websocket connections via \/v1\/devices. As a common facade to access these services I set up Apache as a reverse proxy as in an example configuration below.<\/p>\n%{SSL_CLIENT_S_DN_CN}s<\/code> and set a header field clientId<\/code>.<\/p>\n\/v1\/devices\/CLIENT_ID<\/code> and then check if the parameter matches the client id of underlying client certificate. Now you forced the client to use the correct ids in URL, which you can use for authentication as Apache forwards only requests where SSLRequire successes.<\/p>\n\r\n