我运行的是 Unifi 硬件设备,它带有一个自签名证书,该证书是在 上颁发的unifi.local。对于我当前的设置,由于多种原因,无法直接在设备上导入证书,因此我尝试使用基于 apache2 的反向代理来摆脱浏览器的证书无效消息,该代理提供对另一个域下设备的访问,并由 Letsencrypt 证书保护。
我的当前设置如下:
Laptop <-> Apache Reverse Proxy (2.4.48, Debian, trusted wildcard domain certificate) <-> Unifi appliance (self-signed certificate)
我的想法是提供一个名为 的安全域unifi.mydomain.tld,允许安全访问设备。
在我的 apache 反向代理中,我创建并启用了一个如下所示的配置文件:
<IfModule mod_ssl.c>
<VirtualHost *:443>
Serveradmin [email protected]"
ServerName unifi.mydomain.tld
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass "/" "https://10.0.1.1/"
ProxyPassReverse "/" "https://10.0.1.1/"
ProxyPreserveHost Off
TransferLog /var/log/apache2/proxies/unifi_access.log
ErrorLog /var/log/apache2/proxies/unifi_error.log
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLOpenSSLConfCmd DHParameters /mnt/certificates/diffie-hellman/dhparam4096.pem
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
</VirtualHost>
# Originally from /etc/letsencrypt/options-ssl-apache.conf
# Written directly here because otherwise SSLProtocol etc is overwritten
# Add vhost name to log entries:
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
</IfModule>
但是,如果我访问unifi.mydomain.tld,我的浏览器会返回 的证书,unifi.local而不是 的证书unifi.mydomain.tld,因此会产生证书不受信任的错误。 提到了几个技巧,转向SSLProxyVerify、none和SSLProxyCheckPeerName,SSLProxyCheckPeerCN以及SSLProxyCheckPeerExpire,off但是,这些技巧都不起作用。 我无法在我的反向代理服务器上导入 Unifi 的自签名 snakeoil 证书。
我不确定 apache2 本身是否对证书有异议或返回了错误的证书。我如何才能通过浏览访问设备unifi.mydomain.tld而不会收到此证书错误?
答案1
这对我有用!
要求:
- Apache Tomcat 在 :8443 上使用自签名密钥
- Apache HTTPD 带有反向代理到 localhost:8443 Tomcat
- Apache HTTPD需要客户端相互认证。如果这不是您的要求,则设置:SSLVerifyClient none
- Apache HTTPD 将通过反向代理将调用者的 X.509 身份传递给 tomcat。
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
ProxyRequests On
ProxyPass /test1 https://localhost:8443/test/
ProxyPassReverse /test1 https://localhost:8443/test/
# SSL Settings for the DMZ
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateKeyFile /home/jdoyle/sample_httpd_server_example_root_ca_.key
SSLCertificateFile /home/jdoyle/sample_httpd_server_example_root_ca_.cer
SSLCACertificateFile /home/jdoyle/consolidated_cacerts.cer
# SSL Settings for the Reverse Proxy
SSLProxyEngine on
SSLProxyVerify require
SSLProxyProtocol TLSv1.2
SSLProxyCheckPeerName off
SSLProxyCACertificateFile /home/jdoyle/consolidated_cacerts.cer
SSLVerifyClient require
SSLVerifyDepth 10
# Pass the SSL Conext on to tomcat
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
....
SSLOptions +ExportCertData +StrictRequire
....
笔记:
a. SSLProxyCACertificateFile 用于 httpd<->tomcat 连接,包含 Tomcat 服务器自签名证书的公钥。
b. SSLCACertificateFile 用于 DMZ <-> httpd 连接,并且必须包含任何入站连接的所有 CA 证书。