为代理配置Apache客户端证书认证 [英] Configure Apache Client Certificate Authentication for proxy
问题描述
我有3个后端API服务器(HTTPS),API服务器根据用户证书对不同用户具有不同的授权权限,我正在配置apache来实现3个后端服务器的负载平衡,如下所示
I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below
<VirtualHost *:zzzz>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCACertificateFile /path/to/ca.crt
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Proxy balancer://api_server>
BalancerMember https://xx.xx.xx.xx:yyyy
BalancerMember https://xx.xx.xx.xx:yyyy
</Proxy>
ProxyPass / balancer://api_server/
</VirtualHost>
问题是,当带有证书的客户端请求apache
时,只有请求转到了API服务器,而不是证书,并且API服务器响应了未经授权的用户,我尝试使用SSLProxyMachineCertificateFile
,但是它仅接受一个一组证书,并且每次都通过相同的证书,但是在这种情况下,授权仅基于证书进行.
The problem is that when a client request apache
, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile
, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.
有没有一种方法可以将HTTPS请求盲目转发到API?或其他任何建议都受到热烈欢迎.
Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.
推荐答案
由于注释解决了OP的问题,因此将其转换为答案.
Transforming the comment into an answer since it solved the OP's question.
用户与Apache对话,然后Apache与平衡机对话.这就是代理的要点,它可以确保客户端不直接与服务器通信.因此,从平衡服务器的角度来看,Apache是客户端.
The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.
我只能看到这样做的方法是使用不进行SSL卸载的第4层网络负载平衡器.即不是Apache
Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache
这篇关于为代理配置Apache客户端证书认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!