我已在 Apache 中配置并运行客户端证书。我想将客户端的 PEM 编码 X.509 证书传递给后端服务器。
我尝试使用 SSLOptions +ExportCertData。这根本不起作用,而文档指出它应该添加 SSL_SERVER_CERT、SSL_CLIENT_CERT 和 SSL_CLIENT_CERT_CHAINn(n = 0,1,2,...)作为标头。知道为什么此选项不起作用吗?
然后我尝试使用 RequestHeader 自行设置标头。这对除 SSL_CLIENT_CERT_CHAIN 之外的所有变量都有效。标头中显示为空。知道证书链未填充的原因吗?
这是我的第一个 Apache 配置:
<VirtualHost 192.168.56.100:443>
ServerName www.test.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/certs/www.test.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/www.test.org.key
SSLCACertificateFile /etc/apache2/ssl/ca/ca.crt
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
<Location /carbon>
ProxyPass http://www.test.org:9763/carbon
ProxyPassReverse http://www.test.org:9763/carbon
</Location>
<Location /services/GbTestProxy>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData
ProxyPass http://www.test.org:8888/services/GbTestProxy
ProxyPassReverse http://www.test.org:8888/services/GbTestProxy
</Location>
</VirtualHost>
这是我的第二个 Apache 配置:
<VirtualHost 192.168.56.100:443>
ServerName www.test.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/certs/www.test.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/www.test.org.key
SSLCACertificateFile /etc/apache2/ssl/ca/ca.crt
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
<Location /carbon>
ProxyPass http://www.test.org:9763/carbon
ProxyPassReverse http://www.test.org:9763/carbon
</Location>
<Location /services/GbTestProxy>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass http://www.test.org:8888/services/GbTestProxy
ProxyPassReverse http://www.test.org:8888/services/GbTestProxy
</Location>
</VirtualHost>
希望有人可以帮忙。
问候,nidkil
答案1
这是一个老问题,但我会回答它,以防其他人像我一样偶然发现它。
颁发者证书实际上位于 Apache 链中的位置 0,而不是 1。要获取所需的颁发者证书,请执行以下操作:
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{{SSL_CLIENT_CERT_CHAIN_0}}s"
答案2
SSLOptions +ExportCertData
不会向代理请求添加标头,而是添加环境变量 - 您尝试添加到第二个配置中的标头的环境变量(但由于您删除了配置,因此它们不在环境中SSLOptions
)。
您将需要RequestHeader set
配置以及SSLOptions +ExportCertData
。