CORS与客户端https证书 [英] CORS with client https certificates
问题描述
我的网站有两个https服务器。一个(前端)提供由静态页面组成的UI。另一个(后端)提供微服务。他们俩都碰巧使用相同的(测试)X509证书来识别自己。单独地,我可以通过https连接到它们,需要客户端证书tester。
I have a site with two https servers. One (frontend) serves up a UI made of static pages. The other (backend) serves up a microservice. Both of them happen to be using the same (test) X509 certificate to identify themselves. Individually, I can connect to them both over https requiring the client certificate "tester".
到目前为止,我们通过nginx设置隐藏了CORS问题和后端看起来它们是相同的Origin。我已经为所有请求实现了标题'Access-Control-Allow-Origin','Access-Control-Allow-Credentials';使用方法,预检检查请求的标题(OPTIONS)。
We were hiding CORS issues until now by going through an nginx setup that makes the frontend and backend appear that they are same Origin. I have implemented the headers 'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials' for all requests; with methods, headers for preflight check requests (OPTIONS).
-
在Chrome中,像这样的跨站点工作正常。我可以看到前端URL和后端URL是不同的站点。我看到OPTIONS请求是在发出后端请求之前发出的。
In Chrome, cross-site like this works just fine. I can see that front-end URLs and backend URLs are different sites. I see the OPTIONS requests being made before backend requests are made.
即使Chrome似乎不需要它,我确实找到了xmlhttprequest对象。用于执行请求并在其上执行 xhr.withCredentials = true ,因为这似乎是fetch.js在获取<$ c $时所做的事情。 C> 凭证: 包括。我注意到有一个 xhr.setRequestHeader 可用,我可能需要用来让Firefox开心。
Even though Chrome doesn't seem to need it, I did find the xmlhttprequest object that will be used to perform the request and did a xhr.withCredentials = true on it, because that seems to be what fetch.js does under the hood when it gets "credentials":"include". I noticed that there is an xhr.setRequestHeader function available that I might need to use to make Firefox happy.
- Firefox对UI调用的行为相同。但对于所有后端调用,我得到405.当它这样做时,没有与服务器建立网络连接。浏览器刚刚决定这是405而没有执行任何https请求。尽管这与Chrome的行为不同,但这种做法还是有意义的。前端UI和后端服务都需要选择客户端证书。当我连接到UI时,我选择了证书tester。当它发出后端请求时,它可以假设应该使用相同的客户端证书来到达后端。但也许它假定它可能会有所不同,我还需要告诉Firefox。
这里是否有人将CORS与2路SSL证书结合使用,并且遇到了这个Firefox问题并将其修复了。我怀疑它不是服务器端修复,而是客户端需要做的事情。
Is anybody here using CORS in combination with 2 way SSL certificates like this, and had this Firefox problem and fixed it somewhere. I suspect that it's not a server-side fix, but something that the client needs to do.
推荐答案
我实际上并没有使用客户端证书对此进行了测试,但我似乎记得,如果将 Access-Control-Allow-Origin 设置为 * <,Firefox将不会发送凭据/ code>通配符而不是实际域。请参阅MDN上的此页。
I haven't actually tested this using client certificates, but I seem to recall that Firefox will not send credentials if Access-Control-Allow-Origin is set to the * wildcard instead of an actual domain. See this page on MDN.
此外,Firefox向服务器发送CORS请求也存在问题,该服务器希望在TLS握手中呈现客户端证书。基本上,Firefox不会在预检期间发送证书,从而造成鸡和鸡蛋问题。请参阅bugzilla上的此错误。
Also there's an issue with Firefox sending a CORS request to a server that expects the client certificate to be presented in the TLS handshake. Basically, Firefox will not send the certificate during the preflight, creating a chicken and the egg problem. See this bug on bugzilla.
这篇关于CORS与客户端https证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
