我们有一个 Asp.Net 1.1 Web 服务(https://dev-ms01/MsgService/default.asmx) 在 IIS7 (win server 2008 标准版) 上运行,我们在 IIS 中配置了客户端证书身份验证,下面是身份验证.net
的代码
ClientCertificate
private void Authenticate(DataTable dtUserMap,HttpContext context)
{
/// Convert the serial number from IIS to the DC format
/// which is: no dashs octets are in proper order.
string SerialNum = context.Request.ClientCertificate.SerialNumber.Replace("-","");
Debug.WriteLine("Authenticate User with cert = " + SerialNum);
/// get the column names from the table
string[] columnNames = new String[dtUserMap.Columns.Count];
/// populate the string array with the names
for(int i=0;i<dtUserMap.Columns.Count;i++)
{
columnNames[i] = dtUserMap.Columns[i].ColumnName;
}
/// Run a select query with the serial number
DataRow[] rows = dtUserMap.Select("SerialNumber='" + SerialNum + "'");
if (rows.Length==1){
/// the user exits
Debug.WriteLine("User Authenticated");
// further logic
}
else
{
/// either too many users or not any users
Debug.WriteLine("No single User Found");
context.Items.Add("IsAuthenticated",false);
}
}
我们正在设置一个 apache2.4 服务器来支持 TLS 1.2,并充当 IIS 的代理,下面是 apache 配置
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
ServerName secure-dev-ms01
SSLEngine on
SSLProtocol -ALL TLSv1.2
SSLVerifyClient optional
SSLVerifyDepth 3
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/elm/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SSLProxyEngine On
SSLOptions +ExportCertData
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives
ProxyPass / http://dev-ms01:80/
ProxyPassReverse / http://dev-ms01:80/
RewriteEngine on
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
</VirtualHost>
当我浏览https://secure-dev-ms01/MsgService/default.asmxURL 提示输入客户端证书,当我选择客户端证书时,我没有看到应该看到的授权内容,我怀疑SSLOptions +ExportCertData
apache 的配置没有将客户端证书转发到IIS
。我找不到太多关于如何将客户端证书从 apache 转发到 IIS 的信息/文章。
有人可以帮助我配置 apache 并使用正向代理来对 IIS 进行客户端证书身份验证吗?
更新 1:
尝试将请求转发到https://dev-ms01/
而不是,http://dev-ms01:80/
并SSL_*
在 Apache VirtualHost 中设置请求标头,如下所示,但仍然没有成功
SSLProxyEngine On
SSLOptions +ExportCertData +StdEnvVars
#ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#ProxyPass should be prior to any other Proxy directives
ProxyPass / https://dev-ms01/
ProxyPassReverse / https://dev-ms01/
RewriteEngine on
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
RequestHeader set X_SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set X_FORWARDED_PROTO "https" env=HTTPS
RequestHeader set SslSubject "%{SSL_CLIENT_S_DN}s"
答案1
据我所知,如果 Apache 终止 TLS 请求,IIS 将无法查看原始客户端证书。Apache 的代理功能无法发起包含原始客户端证书的 https 请求,因为 Apache 无法访问关联的私钥。
apache 的 SSLOptions +ExportCertData 配置未将客户端证书转发到 IIS
这不是该ExportCertData
选项的作用。该选项只是设置一些环境变量,这些变量可以由 CGI 或 Apache 中的其他指令使用。它不会神奇地传递该证书。您甚至在RequestHeader ... lines.
如果您确实需要在 Apache 中代理您的请求,那么您将需要更新代理后面的应用程序,以接受和信任您在 Apache 中设置的 HTTP 标头作为证书的等效物。