如何配置 Apache 2.4 以使用 SSLProxyMachineCertificatePath 指令向 2 个或更多远程服务器进行身份验证?
How to configure Apache 2.4 to authenticate towards 2 or more remote servers using SSLProxyMachineCertificatePath directive?
我成功配置了我的 Apache 2.4 作为代理服务器,可以向远程服务器进行身份验证:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
现在我需要引入对第二个远程服务器的身份验证,所以我将上面的配置更改为这样:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificatePath "C:/Apache24/conf/myClientCertsForWs/"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
ProxyPass /ws2/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 1>
在 "C:/Apache24/conf/myClientCertsForWs/" 中,我放置了使用这些命令生成的哈希名称(54678734.0 和 77b3aaf4.0)重命名的 2 个客户端证书:
openssl x509 -hash -noout -in myClientCertForWs1.pem
openssl x509 -hash -noout -in myClientCertForWs2.pem
不幸的是,此配置不起作用:Apache 使用的唯一证书是第一个,因此对第二个远程服务器的身份验证总是失败;如果我从 "C:/Apache24/conf/myClientCertsForWs/" 中删除第一个证书,它不会失败。
我找到的唯一可行的解决方案是配置 2 个 VirtualHosts,每个远程服务器一个:
httpd-ssl.conf
<VirtualHost _default_:9347>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
[...]
</VirtualHost>
<VirtualHost _default_:9348>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
ProxyPass /ws2/ <HTTPS URL of remote service 2>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 2>
[...]
</VirtualHost>
此解决方案需要使用 2 个端口而不是一个,我想避免它。
你能帮帮我吗?
从 2.4.30 及更高版本开始,您可以在代理设置中配置 SSLProxyMachineCertificateFile,即
<Proxy HTTPS URL of remote service 1>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
</Proxy>
<Proxy HTTPS URL of remote service 2>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
</Proxy>
我成功配置了我的 Apache 2.4 作为代理服务器,可以向远程服务器进行身份验证:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
现在我需要引入对第二个远程服务器的身份验证,所以我将上面的配置更改为这样:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificatePath "C:/Apache24/conf/myClientCertsForWs/"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
ProxyPass /ws2/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 1>
在 "C:/Apache24/conf/myClientCertsForWs/" 中,我放置了使用这些命令生成的哈希名称(54678734.0 和 77b3aaf4.0)重命名的 2 个客户端证书:
openssl x509 -hash -noout -in myClientCertForWs1.pem
openssl x509 -hash -noout -in myClientCertForWs2.pem
不幸的是,此配置不起作用:Apache 使用的唯一证书是第一个,因此对第二个远程服务器的身份验证总是失败;如果我从 "C:/Apache24/conf/myClientCertsForWs/" 中删除第一个证书,它不会失败。
我找到的唯一可行的解决方案是配置 2 个 VirtualHosts,每个远程服务器一个:
httpd-ssl.conf
<VirtualHost _default_:9347>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
[...]
</VirtualHost>
<VirtualHost _default_:9348>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
ProxyPass /ws2/ <HTTPS URL of remote service 2>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 2>
[...]
</VirtualHost>
此解决方案需要使用 2 个端口而不是一个,我想避免它。
你能帮帮我吗?
从 2.4.30 及更高版本开始,您可以在代理设置中配置 SSLProxyMachineCertificateFile,即
<Proxy HTTPS URL of remote service 1>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
</Proxy>
<Proxy HTTPS URL of remote service 2>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
</Proxy>