Configure Apache Client Certificate Authentication for proxy

Question

I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below

<VirtualHost *:zzzz>
       SSLEngine on
       SSLCertificateFile /path/to/server.crt
       SSLCertificateKeyFile /path/to/server.key
       SSLCACertificateFile /path/to/ca.crt
       SSLProxyEngine on
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off
       <Proxy balancer://api_server>
           BalancerMember https://xx.xx.xx.xx:yyyy
           BalancerMember https://xx.xx.xx.xx:yyyy
       </Proxy>
       ProxyPass / balancer://api_server/
</VirtualHost>

The problem is that when a client request apache , with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile , but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.

Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.

Answer 1

Transforming the comment into an answer since it solved the OP's question.

The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.

Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. ie not Apache

Answer 2

Try switching to AJP instead of HTTP proxy, as explained in the Apache doc : https://httpd.apache.org/docs/2.4/en/mod/mod_proxy_ajp.html

If I understand well what you're saying, you need the client certificate to be forwarded, which is a feature of AJP :

Request Packet Structure

?ssl_cert 0x07 String