![是否可以使用 Lighttpd $HTTP["url"] 条件来动态启用 ssl.verifyclient.* 选项?](https://linux22.com/image/702195/%E6%98%AF%E5%90%A6%E5%8F%AF%E4%BB%A5%E4%BD%BF%E7%94%A8%20Lighttpd%20%24HTTP%5B%22url%22%5D%20%E6%9D%A1%E4%BB%B6%E6%9D%A5%E5%8A%A8%E6%80%81%E5%90%AF%E7%94%A8%20ssl.verifyclient.*%20%E9%80%89%E9%A1%B9%EF%BC%9F.png)
我应该为网站的单个端点启用 ssl.verifyclient.* 选项,以继续进行证书登录或验证。但它不起作用。
配置:
$HTTP["host"] =~ "^(.*\.|)example.com$"{
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "disable"
#server.name = "example.com"
ssl.pemfile = "/etc/lighttpd/ssl/example.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/bundle-ca.pem"
ssl.honor-cipher-order = "enable"
#ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384"
#ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "enable"
ssl.use-sslv3 = "enable"
ssl.read-ahead = "enable"
#ssl.disable-client-renegotiation = "disable"
# It Works
$HTTP["host"] == "ssl.example.com"{
server.name = "ssl.example.com"
#ask for client cert
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.exportcert = "enable"
#ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.depth = 3
}
# It not Works
$HTTP["url"] =~ "/backend/server/auth/ssl" {
#ask for client cert
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.exportcert = "enable"
#ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.depth = 10
}
}
}
是错误还是配置不匹配?
答案1
它无法工作。在将任何 HTTP 请求发送到服务器之前,都会协商 SSL。
在协商 SSL 连接时,客户端使用 SSL 中的 SNI 功能发送虚拟主机名。客户端验证也会在 SSL 连接协商期间进行。
只有在 SSL 会话建立后,客户端才会向 Web 服务器发送“GET /path/to/resource”请求。
您需要对整个域应用客户端验证。