我一直在使用 httpd 卸载我的 SSL 处理并通过 AJP 将 http 请求转发到 tomcat。我现在转向 haproxy 而不是 httpd 和 HTTP 而不是 AJP。我能够通过 https 连接到 haproxy,并看到适当的 http 请求到达 tomcat。尝试验证客户端证书时,我的 tomcat 代码无法从证书中检索 CN。我在 haproxy.cfg 中添加了以下行,希望它能转发 http header 中的客户端证书信息:
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
查看 http 连接的捕获文件,我看到以下 http header :
GET /api/subscriber/count?_=1511258656303 HTTP/1.1
Host: 192.168.20.192
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Referer: https://192.168.20.192/dashboard.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,he;q=0.6
Cookie: gsScrollPos-1158=0; gsScrollPos-536=0; gsScrollPos-873=2579; gsScrollPos-2263=0; gsScrollPos-472=0; gsScrollPos-468=; JSESSIONID=B433B96FB2616A8447703BFAE541DC2C
X-SSL: 1
X-SSL-Client-Verify: 0
X-SSL-Client-SHA1:
X-SSL-Client-DN:
X-SSL-Client-CN:
X-SSL-Issuer:
X-SSL-Client-Not-Before:
X-SSL-Client-Not-After:
X-Forwarded-Proto: https
X-Forwarded-For: ::ffff:192.168.12.171
Connection: close
如您所见,证书信息是空白的。
我做错了什么吗?将证书传递给 tomcat 还需要其他什么吗? 或者可以使用 AJP 使其工作吗?
这是我完整的 haproxy.cfg:
global
log 127.0.0.1 local4
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# ssl ciphers and options
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend https
mode http
bind :::443 ssl crt /opt/vasona/CA/private/sa_bundle.pem ca-file /opt/vasona/CA/certs/crtServer.crt verify optional
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
reqadd X-Forwarded-Proto:\ https
default_backend tomcat-mgmt
backend tomcat-mgmt
mode http
option tcp-smart-connect
server tomcat :8009
backend tomcat-cp-events
mode http
option tcp-smart-connect
server tomcat :23237
如果需要任何其他信息,请告诉我。 谢谢, 吉顿
最佳答案
原来我使用了错误的证书文件作为 ca 文件。一旦使用正确的 pem 文件,证书信息就会正确传递到后端。
关于tomcat - 客户端证书从haproxy转发到tomcat,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47410940/