配置 HTTPS 转发代理时出错(AH02268:下游服务器需要客户端证书,但已配置 none)
Error configuring a HTTPS forward proxy (AH02268: downstream server wanted client certificate but none are configured)
我想我一起犯了几个错误,但我被卡住了,我要疯了。而且我想这个问题已经提出了,但是,即使搜索了很多,我也找不到这个确切的案例发布在任何地方。
我正在处理的任务是通过代理调用远程 HTTPS 服务器:
wget http://localhost/remote?wsdl
指向
https://someserver.com/service?wsdl
图中:
(http) (https)
client ------> localhost -------> someserver.com
使用出色的 Apache Web 服务器(真的,不是开玩笑)。
证书交换发生在代理和远程服务器之间,我已经在代理上安装了带有私钥的客户端证书。客户在 .p12 文件中给了我证书。
尝试使用 SoapUI 和相同的证书测试所需的网络服务,我得到了预期的行为(一切正常)。但现在我必须从中间件调用服务。为此,我正在使用 Apache 配置 SSL 代理。
我尝试了两种方法,都没有成功:
1)分别在两个文件中定义代理和定义SSL参数:
/etc/apache2/conf.d/mods-available/ssl.conf
/etc/apache2/conf.d/mods-available/proxy.conf
第一个文件包含:
# /etc/apache2/conf.d/mods-available/ssl.conf
SSLPassPhraseDialog exec:/usr/local/etc/apache2/pwf.sh # to avoid manuallly entering passphrase
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
ErrorLog /var/log/ssl_error_log
TransferLog /var/log/ssl_access_log
LogLevel warn
SSLEngine off
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
第二个文件包含:
# /etc/apache/conf.d/mods-available/proxy.conf
SetEnv proxy-sendcl 1
SSLProxyEngine On
ProxyPass /remote https://someserver.com/service
ProxyPassReverse /remote https://someserver.com/service
我通过以下方式启用了这些模块:
sudo a2enmod proxy & a2enmod ssl
2) 定义虚拟主机
/etc/apache2/conf.d/sites-available/remote.conf
此方法与前一种方法互斥:
#
# remote.local
<VirtualHost SOMEIP:443>
ProxyRequests on
DocumentRoot /var/www/html/remote
ServerName someserver.com
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem
ProxyPreserveHost On
ErrorLog ${APACHE_LOG_DIR}/error_remote.log
CustomLog ${APACHE_LOG_DIR}/access_remote.log combined
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
<Location /remote>
ProxyPass https://someserver.com/service
ProxyPassReverse https://someserver.com/service
Order allow,deny
Allow from all
</Location>
</VirtualHost>
我启用了它:
sudo a2ensite remote
在我尝试的两种方法中的任何一种中,当我尝试访问本地 URL:
时,我都会遇到这些(相同的)错误
[Thu Jun 11 18:39:15.724705 2020] [ssl:warn] [pid 30578] AH02268: Proxy client certificate callback: (localhost:80) downstream server wanted client certificate but none are configured
[Thu Jun 11 18:39:15.794381 2020] [proxy_http:error] [pid 30578] (20014)Internal error (specific information not available): [client ::1:49118] AH01102: error reading status line from remote server someserver.com:443
[Thu Jun 11 18:39:15.794585 2020] [proxy:error] [pid 30578] [client ::1:49118] AH00898: Error reading from remote server returned by /remote/
证书链正常:
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
显示 CA、中间和服务器证书的所有证书颁发者和主题:
openssl verify -CAfile ca.pem -untrusted chain.pem certificate.pem
certificate.pem: OK
任何建议将不胜感激,在此先感谢。
我错过了为反向代理配置证书,即部分
SSLProxyMachineCertificateFile
我想我一起犯了几个错误,但我被卡住了,我要疯了。而且我想这个问题已经提出了,但是,即使搜索了很多,我也找不到这个确切的案例发布在任何地方。
我正在处理的任务是通过代理调用远程 HTTPS 服务器:
wget http://localhost/remote?wsdl
指向
https://someserver.com/service?wsdl
图中:
(http) (https)
client ------> localhost -------> someserver.com
使用出色的 Apache Web 服务器(真的,不是开玩笑)。
证书交换发生在代理和远程服务器之间,我已经在代理上安装了带有私钥的客户端证书。客户在 .p12 文件中给了我证书。
尝试使用 SoapUI 和相同的证书测试所需的网络服务,我得到了预期的行为(一切正常)。但现在我必须从中间件调用服务。为此,我正在使用 Apache 配置 SSL 代理。
我尝试了两种方法,都没有成功:
1)分别在两个文件中定义代理和定义SSL参数:
/etc/apache2/conf.d/mods-available/ssl.conf
/etc/apache2/conf.d/mods-available/proxy.conf
第一个文件包含:
# /etc/apache2/conf.d/mods-available/ssl.conf
SSLPassPhraseDialog exec:/usr/local/etc/apache2/pwf.sh # to avoid manuallly entering passphrase
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
ErrorLog /var/log/ssl_error_log
TransferLog /var/log/ssl_access_log
LogLevel warn
SSLEngine off
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
第二个文件包含:
# /etc/apache/conf.d/mods-available/proxy.conf
SetEnv proxy-sendcl 1
SSLProxyEngine On
ProxyPass /remote https://someserver.com/service
ProxyPassReverse /remote https://someserver.com/service
我通过以下方式启用了这些模块:
sudo a2enmod proxy & a2enmod ssl
2) 定义虚拟主机
/etc/apache2/conf.d/sites-available/remote.conf
此方法与前一种方法互斥:
#
# remote.local
<VirtualHost SOMEIP:443>
ProxyRequests on
DocumentRoot /var/www/html/remote
ServerName someserver.com
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem
ProxyPreserveHost On
ErrorLog ${APACHE_LOG_DIR}/error_remote.log
CustomLog ${APACHE_LOG_DIR}/access_remote.log combined
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
<Location /remote>
ProxyPass https://someserver.com/service
ProxyPassReverse https://someserver.com/service
Order allow,deny
Allow from all
</Location>
</VirtualHost>
我启用了它:
sudo a2ensite remote
在我尝试的两种方法中的任何一种中,当我尝试访问本地 URL:
时,我都会遇到这些(相同的)错误[Thu Jun 11 18:39:15.724705 2020] [ssl:warn] [pid 30578] AH02268: Proxy client certificate callback: (localhost:80) downstream server wanted client certificate but none are configured
[Thu Jun 11 18:39:15.794381 2020] [proxy_http:error] [pid 30578] (20014)Internal error (specific information not available): [client ::1:49118] AH01102: error reading status line from remote server someserver.com:443
[Thu Jun 11 18:39:15.794585 2020] [proxy:error] [pid 30578] [client ::1:49118] AH00898: Error reading from remote server returned by /remote/
证书链正常:
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
显示 CA、中间和服务器证书的所有证书颁发者和主题:
openssl verify -CAfile ca.pem -untrusted chain.pem certificate.pem
certificate.pem: OK
任何建议将不胜感激,在此先感谢。
我错过了为反向代理配置证书,即部分
SSLProxyMachineCertificateFile