带码头和空密码的双向SSL [英] Two Way SSL with Jetty and Null Cipher

问题描述

我有一个在Jetty中运行的应用程序.在它的前面，我有一个负载平衡器.要求是由负载均衡器完成SSL解密，而Web容器仅执行SSL客户端身份验证.

I have an application running in Jetty. In front of it, I have a load balancer. The requirement is to have SSL decryption done by the load balancer while the web container does only SSL client authentication.

理论是，负载均衡器在解密内容方面非常有效，并且可以做到这一点并将其以纯格式传递给Web容器.

The theory is that the load balancer is very efficient at decrypting the content and can do that and pass it in plain to the web container.

有什么想法可以实现吗?

Any idea how this can be achieved?

推荐答案

目前尚不清楚标题中的空密码"是什么意思.有 3个可能的候选对象:TLS_NULL_WITH_NULL_NULL，TLS_RSA_WITH_NULL_MD5和TLS_RSA_WITH_NULL_SHA .第一个不执行任何身份验证，它们都不提供任何加密.它们对您的目标毫无用处.在浏览器和负载平衡器之间使用普通的密码套件(具有身份验证和加密功能).负载均衡器和辅助节点之间的加密通常是可选的，并且仅在您不信任它们所在的网络时才需要(无论如何这将是完全不同的SSL/TLS连接，并且与客户端证书无关)身份验证由最终浏览器完成.

It's not clear what you mean by "Null Cipher" in your title. There are 3 possible candidates: TLS_NULL_WITH_NULL_NULL, TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA. The first one doesn't perform any authentication, none of them offer any encryption. They're certainly useless for your objective. Use normal cipher suites (with both authentication and encryption) between the browser and the load-balancer. Encryption between the load-balancer and the worker nodes is generally optional, and only required if you don't trust the network where they site (this would be a completely different SSL/TLS connection anyway and have nothing to do with the client-certificate authentication done by the end browser).

仅SSL/TLS服务器可以请求(并验证)客户端证书身份验证.在这种情况下，这将是负载平衡器.

Only the SSL/TLS server can request (and verify) client-certificate authentication. In this case this will be the load balancer.

如果您希望由负载均衡器处理SSL/TLS流量，它应该验证证书(大概是针对您已配置的CA)，然后将证书信息中继到工作节点.

If you want to have your SSL/TLS traffic handled by your load balancer, it should verify the certificate (presumably against a CA you have configured), and then relay the certificate information to the worker nodes.

如何执行此操作将取决于负载平衡器.如果它是Apache Httpd服务器，则mod_proxy_ajp将通过AJP协议(SSLOptions +ExportCertData +StdEnvVars)中继客户端证书. mod_jk还可以在需要时中继完整的客户端证书链(JkOptions +ForwardSSLCertChain).

How you do this will depend on the load-balancer. If it's an Apache Httpd server, mod_proxy_ajp will relay the client certificate via the AJP protocol (SSLOptions +ExportCertData +StdEnvVars). mod_jk is also able to relay the full client-certificate chain if needed (JkOptions +ForwardSSLCertChain).

如果要使用mod_proxy_http，一个窍门是通过HTTP标头(

If you want to use mod_proxy_http, a trick is to pass the certificate via an HTTP header (mod_header), using something like RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s. You should make sure this header is cleared if it comes from the client's browser (who could forge it otherwise). In this case, you'll need to write a filter as part of your Jetty server to handle that header an place it into the javax.servlet.request.X509Certificate HttpServletRequest attribute (it should be an array of X509Certificate). After this, you should be more or less at the same stage as what you would have with AJP. This may also work with other load balancers if they're capable of populating an HTTP header in a similar way.

这篇关于带码头和空密码的双向SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！