支持双向TLS / HTTP与ELB [英] Support for two-way TLS/HTTPS with ELB

问题描述

单行道（或服务器端）TLS / HTTPS使用Amazon弹性负载平衡是<一个href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html">well记录

One way (or server side) TLS/HTTPS with Amazon Elastic Load Balancing is well documented

支持双向（或客户端）TLS / HTTPS是不是从文档清晰。

Support for two-way (or client side) TLS/HTTPS is not as clear from the documentation.

假设ELB被终止TLS / HTTPS连接：

Assuming ELB is terminating a TLS/HTTPS connection:

1. 在ELB是否支持<一href="https://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake">client验证 HTTPS连接？
2. 如果是这样，那么通过ELB提供服务的服务器免费获赠<一个href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#x-forwarded-headers">X-Forwarded-*头标识由ELB认证的客户端？

1. Does ELB support client authenticated HTTPS connections?
2. If so, does a server served by ELB recieve a X-Forwarded-* header to identify the client authenticated by ELB?

ELB不支持TCP转发这样一个EC2托管的服务器可以建立一个双向的TLS / HTTPS连接，但我感兴趣的ELB终止TLS / HTTPS连接和识别客户端在这种情况下。

ELB does support TCP forwarding so an EC2 hosted server can establish a two-way TLS/HTTPS connection but in this case I am interested in ELB terminating the TLS/HTTPS connection and identifying the client.

推荐答案

我看不出它如何能在双端HTTPS模式，因为ELB正在建立第二个TCP连接到后端服务器，内部它的解密/从客户端和服务器加密有效载荷/ ...因此，服务器不会直接看到客户证书，并且没有记载的X Forwarded- *头比-For，-proto其他，以及​​ - 端口。

I don't see how it could, in double-ended HTTPS mode, because the ELB is establishing a second TCP connection to the back-end server, and internally it's decrypting/encrypting the payload to/from the client and server... so the server wouldn't see the client certificate directly, and there are no documented X-Forwarded-* headers other than -For, -Proto, and -Port.

随着ELB在TCP模式下运行，而另一方面，SSL协商直接在客户端和服务器之间，ELB一味地绑在一起的流完成。如果服务器支持 代理协议，你可以<一href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html">enable在ELB 该功能，以便您可以识别客户端的原始IP和端口的服务器，以及识别客户端证书直接，因为客户端将直接谈判和你......虽然这意味着你没有再卸载SSL到ELB，这可能是你正在尝试做点的一部分。

With an ELB running in TCP mode, on the other hand, the SSL negotiation is done directly between the client and server with ELB blindly tying the streams together. If the server supports the PROXY protocol, you could enable that functionality in the ELB so that you could identify the client's originating IP and port at the server, as well as identifying the client certificate directly because the client would be negotiating directly with you... though this means you are no longer offloading SSL to the ELB, which may be part of the point of what you are trying to do.

更新：的

它看起来并不像有一种方法做你想要做的一切 - 卸载SSL和识别客户端certificatite - 单独与ELB。下面的信息是presented＆ldquo;它所＆rsquo的;值得＆rdquo;的

It doesn't look like there's a way to do everything you want to do -- offload SSL and identify the client certificatite -- with ELB alone. The information below is presented “for what it’s worth.”

显然HAProxy的具有客户端证书的版本1.5 支持，并将证书信息<$ ç$ C系列> X - 头。由于HAProxy的也支持通过配置代理协议（东西沿着<一个行href="http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20connection"><$c$c>tcp-request连接期望代理 ）......如此看来可以想象，你可以使用HAProxy的背后TCP模式ELB，与HAProxy的终止SSL连接和转发的两个客户端IP，从ELB /端口信息（通过代理协议）的和的客户端证书信息到应用服务器......从而使你仍维持SSL卸载。

Apparently HAProxy has support for client-side certificates in version 1.5, and passes the certificate information in X- headers. Since HAProxy also supports the PROXY protocol via configuration (something along the lines of tcp-request connection expect-proxy) ... so it seems conceivable that you could use HAProxy behind a TCP-mode ELB, with HAProxy terminating the SSL connection and forwarding both the client IP/port information from ELB (via the PROXY protocol) and the client cert information to the application server... thus allowing you to still maintain SSL offload.

我提到这一点，因为它似乎是一个互补的解决方案，也许是功能更加完善比单独的平台，并且，至少在1.4，这两个产品完美配合工作 - 我使用HAProxy的1.4背后ELB成功地为所有在我的最大网络平台的要求（在我的情况，ELB被卸载的SSL - 有没有客户端证书），它似乎是，尽管级联负载均衡的明显冗余的牢固结合。我喜欢有ELB是唯一在那里大坏互联网上，虽然我没有理由认为直接暴露HAProxy的将是有问题的自己。在我的应用程序中，ELBs是否有在A / Z的的HAProxies（我本来也想还自动规模之间的平衡，但是CPU利用率停留如此之低，即使在繁忙的季节，我从未有过一个以上的每可用性区域，而且我的永远的少了一个，但...），那么它可以做一些过滤，转发，并提供交通的实际平台，除了让我头前的改写（munging）一些日志记录，重写，和交通分流控制，我不ELB有它自己的。

I mention this because it seems to be a complementary solution, perhaps more feature-complete than either platform alone, and, at least in 1.4, the two products work flawlessly together -- I am using HAProxy 1.4 behind ELB successfully for all requests in my largest web platform (in my case, ELB is offloading the SSL -- there aren't client certs) and it seems to be a solid combination in spite of the apparent redundancy of cascaded load balancers. I like having ELB being the only thing out there on the big bad Internet, though I have no reason to think that directly-exposed HAProxy would be problematic on its own. In my application, the ELBs are there to balance between the HAProxies in the A/Z's (which I had originally intended to also auto-scale, but the CPU utilization stayed so low even during our busy season that I never had more than one per Availability Zone, and I've never lost one, yet...) which can then do some filtering, forwarding, and and munging of headers before delivering the traffic to the actual platform in addition to giving me some logging, rewriting, and traffic-splitting control that I don't have with ELB on its own.

这篇关于支持双向TLS / HTTP与ELB的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！