为代理配置Apache客户端证书认证 [英] Configure Apache Client Certificate Authentication for proxy
问题描述
我有3个后端API服务器(HTTPS),API服务器根据用户证书对不同用户具有不同的授权权限,我正在配置apache来实现3个后端服务器的负载平衡,如下所示
I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below
<VirtualHost *:zzzz>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCACertificateFile /path/to/ca.crt
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Proxy balancer://api_server>
BalancerMember https://xx.xx.xx.xx:yyyy
BalancerMember https://xx.xx.xx.xx:yyyy
</Proxy>
ProxyPass / balancer://api_server/
</VirtualHost>
问题是,当带有证书的客户端请求apache时,只有请求转到了API服务器,而不是证书,并且API服务器响应了未经授权的用户,我尝试使用SSLProxyMachineCertificateFile,但是它仅接受一个一组证书,并且每次都通过相同的证书,但是在这种情况下,授权仅基于证书进行.
The problem is that when a client request apache, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.
有没有一种方法可以将HTTPS请求盲目转发到API?或其他任何建议都受到热烈欢迎.
Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.
推荐答案
由于注释解决了OP的问题,因此将其转换为答案.
Transforming the comment into an answer since it solved the OP's question.
用户与Apache对话,然后Apache与平衡机对话.这就是代理的要点,它可以确保客户端不直接与服务器通信.因此,从平衡服务器的角度来看,Apache是客户端.
The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.
我只能看到这样做的方法是使用不进行SSL卸载的第4层网络负载平衡器.即不是Apache
Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache
这篇关于为代理配置Apache客户端证书认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
