如何在 IIS 中针对特定 URL 的所有请求要求双向 TLS
How to require mutual TLS in IIS for all requests at specific URL's
对于相互 TLS (MTLS),身份服务器 4 documentation 表示身份服务器在某些端点配置为 MTLS。
In IdentityServer, the mutual TLS endpoints are expected to be located beneath the path ~/connect/mtls. This means your web server can be configured to require mutual TLS for all requests at and below that path.
有没有办法在 IIS 中执行此操作?我一直在广泛研究,但找不到为特定端点启用 MTLS 的方法。
在 readme for the certificate authentication package referenced in the Identity Server documentation 中,它说:
Can I configure my application to require a certificate only on certain paths?
Not possible, remember the certificate exchange is done that the start of the HTTPS conversation, it's done by the host, not the application. Kestrel, IIS, Azure Web Apps don't have any configuration for this sort of thing.
所以我认为这是不可能的。但如果在特定路径上无法进行证书身份验证,我当然会感谢任何其他关于如何为 Identity Server 解决 MTLS 的反馈。
如果您在 ApplicationHost.config 中对涉及的节点设置 read/write 权限,您可以在 web.config 中进行设置:
<configuration>
...
<location path="connect/mtls">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</location>
...
</configuration>
/汉斯
对于相互 TLS (MTLS),身份服务器 4 documentation 表示身份服务器在某些端点配置为 MTLS。
In IdentityServer, the mutual TLS endpoints are expected to be located beneath the path ~/connect/mtls. This means your web server can be configured to require mutual TLS for all requests at and below that path.
有没有办法在 IIS 中执行此操作?我一直在广泛研究,但找不到为特定端点启用 MTLS 的方法。
在 readme for the certificate authentication package referenced in the Identity Server documentation 中,它说:
Can I configure my application to require a certificate only on certain paths?
Not possible, remember the certificate exchange is done that the start of the HTTPS conversation, it's done by the host, not the application. Kestrel, IIS, Azure Web Apps don't have any configuration for this sort of thing.
所以我认为这是不可能的。但如果在特定路径上无法进行证书身份验证,我当然会感谢任何其他关于如何为 Identity Server 解决 MTLS 的反馈。
如果您在 ApplicationHost.config 中对涉及的节点设置 read/write 权限,您可以在 web.config 中进行设置:
<configuration>
...
<location path="connect/mtls">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</location>
...
</configuration>
/汉斯