listen pki
bind *:8884 ssl no-sslv3 crt /HAPROXY.pem.ecdsa verify required ca-file /CA_CHAIN.pem
mode http
http-request add-header Content-Type "application/pkcs10"
http-request add-header Content-Transfer-Encoding "base64"
http-request add-header Authorization "Basic somebase64encodedstring"
default_backend pkis_1
backend pkis_1
mode http
http-request add-header Content-Type "application/pkcs10"
http-request add-header Content-Transfer-Encoding "base64"
http-request add-header Authorization "Basic somebase64encodedstring"
server pkis my.domain.com:443 ssl verify none
使用上述配置,我们能够使用相同的证书从某个端点上的 curl 成功调用后端,但我们在需要基本身份验证的同一服务器的另一个端点上被阻止。
curl 调用如下:
curl --cacert '$INITIAL_CACERT' --key '$INITIAL_DEVICE_KEY' --cert '$INITIAL_DEVICE_CERT' --user '$USER':'$PWD' --data @'$1'/'$KEY_NAME'-key.b64 -o '$1'/'$KEY_NAME'-cert-p7.b64 -H "Content-Type: application/pkcs10" -H "Content-Transfer-Encoding: base64" https://'$PKI_SERVER':'$PORT'/.well-known/est/'$2'/simpleenroll
有没有办法将这个 curl 命令的所有内容转发到后端?
奇怪的是,当我们删除所有 SSL 身份验证并切换到 TCP 模式作为透明代理时,基本身份验证有效!
答案1
我无法完全理解您的 HAProxy 配置,但看起来您正在为后端硬编码标头。相反,我会从 curl 添加 HTTP 标头。不要忘记内容类型,基本身份验证信息应从客户端传递,因为并非所有请求都具有相同的内容类型或基本身份验证。查看以下答案这里关于如何在 curl 中传递基本身份验证信息。
答案2
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
正如上述文章所写:
However, you lose the ability to add or edit HTTP headers, as the connection is simply routed through the load balancer to the proxied servers.
This means your application servers will lose the ability to get the X-Forwarded-* headers, which may include the client's IP address, port and scheme used.
因此,我意识到无法通过 TLS 终止来传播所需的标头,这就是为什么我们使用 TLS 直通模式时请求能够起作用的原因!