TL;DR
This guide shows you how to set up authentication for your proxy server when using HTTPS (SSL/TLS). We’ll cover checking client certificates and basic username/password authentication. This makes sure only allowed users can access your services through the proxy.
Checking Client Certificates
- Generate a Certificate Authority (CA): You need a CA to sign certificates for your clients. OpenSSL is commonly used.
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 - Generate Client Certificates: Create a certificate for each client that will connect to the proxy.
openssl req -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -days 365openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 365 - Configure your Proxy Server: The configuration varies depending on the proxy software (e.g., Nginx, Apache). Here’s an example using Nginx:
server { listen 443 ssl; ssl_certificate ca.crt; ssl_certificate_key ca.key; client_certificate /path/to/ca.crt; verify_client on; }This tells Nginx to require clients to present a certificate signed by
ca.crt. - Install Client Certificates: Clients need to install their certificates (
client1.crt) and the CA certificate (ca.crt) into their trusted store. The process depends on the client’s operating system or application. - Test the Connection: Try connecting through the proxy with a client that has a valid certificate. Connections without a valid certificate should be rejected.
Basic Username/Password Authentication
- Create a Password File: Use a tool like
htpasswdto create a password file.htpasswd -c /path/to/passwords username1This will prompt you for the password. The
-coption creates a new file; omit it to add users to an existing file. - Configure your Proxy Server: Again, configuration depends on your proxy software.
server { listen 443 ssl; ssl_certificate ca.crt; ssl_certificate_key ca.key; auth_basic "Restricted Access"; auth_basic_user_file /path/to/passwords; }This tells Nginx to prompt for a username and password when connecting.
- Test the Connection: When you connect through the proxy, your browser should display a login prompt. Enter valid credentials.
Important Considerations
- Security of Password Files: Protect the password file (
/path/to/passwords) with appropriate file permissions to prevent unauthorized access. - HTTPS is Essential: Always use HTTPS for proxy authentication to encrypt credentials in transit.
- Client Certificate Revocation: Implement a mechanism to revoke client certificates if they are compromised.
- Logging: Enable logging on your proxy server to monitor authentication attempts and identify potential issues.