我有一组需要客户端证书身份验证的后端API。我想建立一个Apache转发代理,它允许通过HTTP(在专用网络内)向它发出请求,而Apache使用客户端证书对后端API进行身份验证。
当使用Apache作为反向代理时,我能够正常工作:
Listen 5454
<VirtualHost *:5454>
SSLProxyEngine on
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateChainFile "/path/to/ca/ca.crt"
SSLProxyMachineCertificateFile "/path/to/cert/cert_and_key.pem"
SSLProxyVerify require
ProxyRequests Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / https://example.com/
ProxyPassReverse / https://example.com/
</VirtualHost>
以下内容返回https://example.com的内容:
curl http://localhost:5454
但是,当切换到转发代理配置时,后端请求不会使用客户端证书进行身份验证:
Listen 5454
<VirtualHost *:5454>
SSLProxyEngine on
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateChainFile "/path/to/ca/ca.crt"
SSLProxyMachineCertificateFile "/path/to/cert/cert_and_key.pem"
SSLProxyVerify require
ProxyRequests On
<Proxy *>
Require all granted
</Proxy>
</VirtualHost>
如果以下操作失败,则表现为Apache未使用客户端证书:
curl --proxy http://localhost:5454 https://www.example.com
curl: (56) NSS: client certificate not found (nickname not specified)
我缺少任何配置吗?是否有可能以这种方式设置Apache(甚至可以这样做)?我很乐意欢迎有关替代方案的建议!