自签名证书将在Apache反向代理之后工作吗? [英] Will a self-signed certificate work behind an Apache reverse-proxy?
问题描述
我们想将Apache用作应用服务器集合的反向代理.我们计划在Apache实例上设置CA签名的SSL证书,但希望在应用程序服务器实例上使用自签名证书(以便也对Apache到应用程序服务器的连接进行加密).如果不需要,我们不想在应用服务器实例上安装CA签名的SSL证书.
We want to use Apache as our reverse proxy to a collection of app servers. We plan to se a CA-signed SSL certificate on the Apache instance but wanted to use self-signed certificates on the app server instances (so that the Apache to app sever connection also was encrypted). We dont want to install a CA-signed SSL certificate on the app server instances if we dont have to.
Apache会允许这种配置在应用服务器实例上具有自签名证书吗?
Will Apache allow this configuration of having self-signed certificates on the app server instances?
推荐答案
如果您有大量的应用程序服务器,则拥有自己的内部CA而不是必须管理每个自签名证书可能更有意义.一对一.
If you have a large collection of app servers, it would probably make more sense to have your own internal CA, instead of having to manage each self-signed certificate one by one.
如果要使Apache Httpd反向代理与其工作节点之间的连接使用HTTPS,则可以使用mod_ssl的SSLProxy*伪指令配置Apache Httpd信任的证书(如mod_proxy文档),尤其是SSLProxyCACertificateFile.
If you want to the connections between an Apache Httpd reverse proxy and its worker nodes to use HTTPS, you can configure the certificates trusted by Apache Httpd using the SSLProxy* directives of mod_ssl (as documented in the introduction of the mod_proxy documentation), in particular SSLProxyCACertificateFile.
您需要为此使用mod_proxy_http,因为AJP连接不是通过SSL/TLS建立的.
You'll need to use mod_proxy_http for this, since AJP connections are not made over SSL/TLS.
这篇关于自签名证书将在Apache反向代理之后工作吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
