Filter incoming client with certificate

Discuss and get help configuring CacheGuard to protect Web servers
Post Reply
cache123
Posts: 3
Joined: 29 Mar 2016 12:57

Filter incoming client with certificate

Post by cache123 » 29 Mar 2016 14:44

Hello,
I would like to restrict access to my servers sitting behing cacheguard.
I'm thinking of using certificates on my clients.
Is CacheGuard able to check for certificates on the clients to allow/reject them ?
Otherwise how could I better restrict client acccess ?
Thank you

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Filter incoming client with certificate

Post by david » 29 Mar 2016 14:56

Hello

Could you please be more specific when you use the term "access"? Do you need an administrative access to your servers? Or a Web access... Windows or Linux servers?

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

cache123
Posts: 3
Joined: 29 Mar 2016 12:57

Re: Filter incoming client with certificate

Post by cache123 » 29 Mar 2016 19:40

Hi David,
Thanks for your reply.
Access is only user access to web services. No admin access.
Linux servers (apache/httpd).
I would like Cachaguard to check the presence of a certificate on the web client machine and alllow access to cloacked servers. It has to be combined with authentication user/pw.
Regards

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Filter incoming client with certificate

Post by david » 29 Mar 2016 22:03

Hi

In short, no, the current version (1.1.5) does not support HTTPS client authentication.

However if you need both types of service (with and without HTTPS client authentication) nothing stops you from implementing HTTPS clients authentication directly on your cloaked Web servers. In this case CG acts as a network firewall only towards your HTTPS client authenticated service (let's say on 444 port) and a Web gateway (WAF, firewall, reverse proxy, SSL terminator...) towards your NON HTTPS client authenticated service (on the standard 443 port).

Please keep in mind that CG is cabled to be placed in front of Web servers widely accessible on the Internet. That's why we didn't integrate HTTPS client authentication (but is shouldn't be a big deal to integrate it if many people ask for it).

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Post Reply