apache mod_proxy 使用客户端证书回调内容服务器

tag-icon tag-icon apache-2.2 proxy certificate mod-proxy
apache mod_proxy 使用客户端证书回调内容服务器

设置

  • 服务器AApache 运行 HTTPS 站点,需要客户端证书才能连接。请参阅下面有关 /etc/apache2/sites-available/secure.site.conf 和 /etc/apache2/mods-available/ssl.conf 的信息

  • 客户A:浏览器使用客户端证书连接到ServerA

  • 服务器B上的代理:Apache 充当正向代理,应该能够使用客户端证书和服务器连接到 ServerB,请参阅下面有关 /etc/apache2/sites-available/forward.proxy.conf 的信息

  • 客户B:浏览器使用 ServerB 上的代理来访问 ServerA 上的内容,而无需客户端证书。

地位

  • 工作正常:客户端 A -OK-> 服务器 A
  • 不工作:客户端 B -OK-> 服务器 B 上的代理 -X-> 服务器 A

替代解决方案 我发现 SEnginx 应该可以完成这个工作

如果 Apache 无法做到这一点,这是一个后备方案......

日志文件

/var/log/apache2/proxy_8004_access.log
    all start with [Wed Nov 18 23:42:00.888597 2015] [proxy:debug] [pid 4374:tid 140546074822528] 
    [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
    [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
    [...] proxy_util.c(1848): AH00930: initialized pool in child 4374 for (*) min=0 max=25 smax=25
    [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
    [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
    [...] proxy_util.c(1848): AH00930: initialized pool in child 4373 for (*) min=0 max=25 smax=25

/var/log/apache2/secure.site_error.log  
    all start with [Wed Nov 18 23:42:13.462770 2015] [core:trace6] [pid 4374:tid 140545817044736] 
    [...] core_filters.c(527): [client 192.168.0.30:59423] core_output_filter: flushing because of FLUSH bucket
    [...] ssl_engine_kernel.c(1807): [client 192.168.0.30:59423] OpenSSL: Write: unknown state
    [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
    [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
    [...] [client 192.168.0.30:59423] AH02008: SSL library error 1 in handshake (server secure.site:443)
    [...] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?
    [...] client 192.168.0.30:59423] AH01998: Connection closed to child 70 with abortive shutdown (server secure.site:443)

设置详情

Server A - Client Certificates creation

mkdir -p /root/myCA/CA /root/myCA/server /root/myCA/user; cd /root/myCA; echo 01 > serial; touch index.txt

#CA creation
openssl genrsa -out /root/myCA/CA/myCA.key 1024
openssl req –new –key /root/myCA/CA/myCA.key –out /root/myCA/CA/myCA.csr
 input>Common Name (e.g. server FQDN or YOUR name) []:myCA
openssl x509 -req -days 3650 -in /root/myCA/CA/myCA.csr -out /root/myCA/CA/myCA.crt -signkey /root/myCA/CA/myCA.key
#SERVER cert creation
openssl genrsa -des3 -out /root/myCA/server/secure.site.key 1024
input>password
openssl req -new -key /root/myCA/server/secure.site.key -out /root/myCA/server/secure.site.csr
 input> Common Name (e.g. server FQDN or YOUR name) []:secure.site
openssl ca -days 3650 -in /root/myCA/server/secure.site.csr -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/server/secure.site.crt -config /etc/ssl/openssl.cnf
#clients cert creatin
openssl genrsa -des3 -out /root/myCA/user/[email protected] 1024
 input>password
openssl req -new -key /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
 input >Common Name (e.g. server FQDN or YOUR name) []:Developers
openssl ca -in /root/myCA/user/[email protected] -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/user/[email protected]
openssl x509 -in /root/myCA/user/[email protected] -text
#export for usage in browser 
openssl pkcs12 -export -clcerts -in /root/myCA/user/[email protected] -inkey /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
#concat file for proxy
cat [email protected] [email protected] > [email protected]


Server A    /etc/apache2/sites-available/secure.site.conf (full file)
                <IfModule mod_ssl.c>
                    <VirtualHost _default_:443>
                        Servername secure.site
                        DocumentRoot /var/www/secure.site/www

                        LogLevel trace8 ssl:trace8
                        ErrorLog ${APACHE_LOG_DIR}/secure.site_error.log
                        CustomLog ${APACHE_LOG_DIR}/secure.site_access.log combined

                        SSLEngine on
                        SSLCertificateFile      /root/myCA/server/secure.site.crt
                        SSLCertificateKeyFile   /root/myCA/server/secure.site.key
                        SSLCACertificateFile    /root/myCA/CA/myCA.crt
                    </VirtualHost>
                </IfModule>

            /etc/apache2/mods-available/ssl.conf (just infos what was added)
                added at the end
                    SSLVerifyClient require
                    SSLVerifyDepth 2

 Server B   /etc/apache2/sites-available/forward.proxy.conf 
                listen 8004
                <VirtualHost *:8004>
                        ProxyRequests On
                        ProxyVia On

                        LogLevel trace8 ssl:trace8
                        ErrorLog ${APACHE_LOG_DIR}/proxy_8004_access.log
                        CustomLog ${APACHE_LOG_DIR}/proxy_8004_error.log combined

                        SSLCACertificateFile "/root/myCA/CA/myCA.crt"
                        SSLProxyMachineCertificateFile "/root/myCA/user/[email protected]"
                </VirtualHost>

相关内容