设置
服务器AApache 运行 HTTPS 站点,需要客户端证书才能连接。请参阅下面有关 /etc/apache2/sites-available/secure.site.conf 和 /etc/apache2/mods-available/ssl.conf 的信息
客户A:浏览器使用客户端证书连接到ServerA
服务器B上的代理:Apache 充当正向代理,应该能够使用客户端证书和服务器连接到 ServerB,请参阅下面有关 /etc/apache2/sites-available/forward.proxy.conf 的信息
客户B:浏览器使用 ServerB 上的代理来访问 ServerA 上的内容,而无需客户端证书。
地位
- 工作正常:客户端 A -OK-> 服务器 A
- 不工作:客户端 B -OK-> 服务器 B 上的代理 -X-> 服务器 A
替代解决方案 我发现 SEnginx 应该可以完成这个工作
如果 Apache 无法做到这一点,这是一个后备方案......
日志文件
/var/log/apache2/proxy_8004_access.log
all start with [Wed Nov 18 23:42:00.888597 2015] [proxy:debug] [pid 4374:tid 140546074822528]
[...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
[...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
[...] proxy_util.c(1848): AH00930: initialized pool in child 4374 for (*) min=0 max=25 smax=25
[...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
[...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
[...] proxy_util.c(1848): AH00930: initialized pool in child 4373 for (*) min=0 max=25 smax=25
/var/log/apache2/secure.site_error.log
all start with [Wed Nov 18 23:42:13.462770 2015] [core:trace6] [pid 4374:tid 140545817044736]
[...] core_filters.c(527): [client 192.168.0.30:59423] core_output_filter: flushing because of FLUSH bucket
[...] ssl_engine_kernel.c(1807): [client 192.168.0.30:59423] OpenSSL: Write: unknown state
[...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
[...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
[...] [client 192.168.0.30:59423] AH02008: SSL library error 1 in handshake (server secure.site:443)
[...] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?
[...] client 192.168.0.30:59423] AH01998: Connection closed to child 70 with abortive shutdown (server secure.site:443)
设置详情
Server A - Client Certificates creation
mkdir -p /root/myCA/CA /root/myCA/server /root/myCA/user; cd /root/myCA; echo 01 > serial; touch index.txt
#CA creation
openssl genrsa -out /root/myCA/CA/myCA.key 1024
openssl req –new –key /root/myCA/CA/myCA.key –out /root/myCA/CA/myCA.csr
input>Common Name (e.g. server FQDN or YOUR name) []:myCA
openssl x509 -req -days 3650 -in /root/myCA/CA/myCA.csr -out /root/myCA/CA/myCA.crt -signkey /root/myCA/CA/myCA.key
#SERVER cert creation
openssl genrsa -des3 -out /root/myCA/server/secure.site.key 1024
input>password
openssl req -new -key /root/myCA/server/secure.site.key -out /root/myCA/server/secure.site.csr
input> Common Name (e.g. server FQDN or YOUR name) []:secure.site
openssl ca -days 3650 -in /root/myCA/server/secure.site.csr -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/server/secure.site.crt -config /etc/ssl/openssl.cnf
#clients cert creatin
openssl genrsa -des3 -out /root/myCA/user/[email protected] 1024
input>password
openssl req -new -key /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
input >Common Name (e.g. server FQDN or YOUR name) []:Developers
openssl ca -in /root/myCA/user/[email protected] -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/user/[email protected]
openssl x509 -in /root/myCA/user/[email protected] -text
#export for usage in browser
openssl pkcs12 -export -clcerts -in /root/myCA/user/[email protected] -inkey /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
#concat file for proxy
cat [email protected] [email protected] > [email protected]
Server A /etc/apache2/sites-available/secure.site.conf (full file)
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
Servername secure.site
DocumentRoot /var/www/secure.site/www
LogLevel trace8 ssl:trace8
ErrorLog ${APACHE_LOG_DIR}/secure.site_error.log
CustomLog ${APACHE_LOG_DIR}/secure.site_access.log combined
SSLEngine on
SSLCertificateFile /root/myCA/server/secure.site.crt
SSLCertificateKeyFile /root/myCA/server/secure.site.key
SSLCACertificateFile /root/myCA/CA/myCA.crt
</VirtualHost>
</IfModule>
/etc/apache2/mods-available/ssl.conf (just infos what was added)
added at the end
SSLVerifyClient require
SSLVerifyDepth 2
Server B /etc/apache2/sites-available/forward.proxy.conf
listen 8004
<VirtualHost *:8004>
ProxyRequests On
ProxyVia On
LogLevel trace8 ssl:trace8
ErrorLog ${APACHE_LOG_DIR}/proxy_8004_access.log
CustomLog ${APACHE_LOG_DIR}/proxy_8004_error.log combined
SSLCACertificateFile "/root/myCA/CA/myCA.crt"
SSLProxyMachineCertificateFile "/root/myCA/user/[email protected]"
</VirtualHost>