仅对特定路由或控制器要求SSL客户端证书 [英] Require SSL Client Certificate only for specific routes or controllers
问题描述
我有一个使用Kestrel作为服务器的ASP.NET MVC Core项目.它既提供用户内容(asp.net mvc),又托管与代理(软件)进行通信的Web API控制器.我已启用HTTPS和客户端证书支持.问题是我想为调用Web API的代理(软件)要求客户端证书,但我不想为普通的基于浏览器的用户要求/提示客户端证书.
I have an ASP.NET MVC Core project using Kestrel as the server. It is both serving up user content (asp.net mvc) and hosts web API controllers that agents (software) communicate with. I have enabled HTTPS and client certificate support. The issue is that I want to require client certificates for agents (software) that call Web APIs but I do not want to require/prompt for client certificates for regular browser based users.
我已通过以下方式启用了HTTPS/客户端证书支持:
I have enabled HTTPS/client certificate support the following way:
var host = new WebHostBuilder()
.UseKestrel(options =>
{
HttpsConnectionFilterOptions httpsoptions = new HttpsConnectionFilterOptions();
httpsoptions.ServerCertificate = CertUtil.GetServerCert();
httpsoptions.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
httpsoptions.CheckCertificateRevocation = false;
options.UseHttps(httpsoptions);
})
.UseUrls("http://0.0.0.0:5000", "https://0.0.0.0:5001")
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>()
.Build();
host.Run();
我在Startup.cs中有一个单独的中间件处理程序设置,用于处理客户端证书的自定义验证.这段代码确实可以成功执行,并且一切正常.
I have a separate middleware handler setup in Startup.cs to handle custom verification of client certificates. This code does successfully execute and everything works fine in that sense.
问题是这在全球范围内发生,我只希望将客户端证书应用于特定的控制器和/或路由;或实际上我会在这一点上做任何细化.
The problem is this happens globally and I am only looking to apply client certificates to specific controllers and/or routes; or really I would take any granularity at this point.
本质上是尝试通过创建两个虚拟目录,然后在一个目录上将SSL Settings(SSL设置)设置为Accept(接受),在另一目录上将Ignore(忽略),创建与IIS中相同的行为.带有接受"的证书将提示浏览器输入证书,而带有忽略"的证书则不会.
Essentially trying to create the same sort of behavior you can get in IIS by creating two virtual directories and then setting SSL Settings to Accept on one and Ignore on the other. The one with Accept will prompt the browser for a cert and the one with Ignore will not.
我尝试将HttpsConnectionFilterOptions设置为仅指定ServerCertificate,希望不设置任何与客户端证书相关的选项将允许服务器在发送客户端证书时接收客户端证书,否则将不提示浏览器.这似乎不起作用,因为我的中间件客户端证书处理程序在调用此函数时从未看到客户端证书(当ClientCertificateMode设置为AllowCertificate时,它确实会出现.
I tried setting HttpsConnectionFilterOptions to only specify ServerCertificate in hopes that not setting any client certificate related options would allow the server to receive client certificates if they are sent but otherwise not prompt browsers for them. This did not seem to work as my middleware client certificate handler never sees a client cert when calling this function (it does when ClientCertificateMode is set to AllowCertificate.
context.Connection.GetClientCertificateAsync();
简而言之,我猜想Kestrel托管是否甚至允许更精细的客户端证书映射/处理,还是只能使用IIS? IIS不是此项目的选项,我宁愿不必仅针对客户端cert API方面创建单独的项目/进程.感谢任何帮助!
I guess in short does Kestrel hosting even allow for more granular client certificate mapping/handling or is it only possible using IIS? IIS is not an option for this project and I would rather prefer not having to create a separate project/process just for the client cert api aspects. Appreciate any help!
推荐答案
我一直在尝试做与您完全相同的要求的相同事情.
I've been trying to do the same thing, with exactly the same requirements as you.
我得出了不可能的结论.我的解决方法是使用 2 WebHostBuilder对象-一个用于不需要需要客户端证书的位置,一个用于那些需要的位置.这样做的缺点是每个IWebHost必须在不同的端口上进行侦听,但是从您描述的情况来看,我认为这不是一个大问题.
I've come to the conclusion that it's not possible. My workaround is to use 2 WebHostBuilder objects - one for locations that don't need client certs, and one for those that do. This does have the downside that each IWebHost must listen on a different port, but from the scenario you describe I guess that's not a big issue.
我在同一过程中执行此操作,因此此解决方案符合该要求.
I do this within the same process, so this solution fits that requirement.
这篇关于仅对特定路由或控制器要求SSL客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
