我一直在使用httpd来卸载我的SSL处理,并通过AJP将http请求转发给tomcat。我现在转向haproxy而不是httpd和HTTP而不是AJP。我可以通过https连接到haproxy并查看到tomcat的相应http请求。在尝试验证客户端证书时,我的tomcat代码无法从证书中检索CN。我在haproxy.cfg中添加了以下行,希望它能在http头中转发客户端证书信息:
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
查看http连接的捕获文件我看到以下http标头:
GET /api/subscriber/count?_=1511258656303 HTTP/1.1
Host: 192.168.20.192
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Referer: https://192.168.20.192/dashboard.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,he;q=0.6
Cookie: gsScrollPos-1158=0; gsScrollPos-536=0; gsScrollPos-873=2579; gsScrollPos-2263=0; gsScrollPos-472=0; gsScrollPos-468=; JSESSIONID=B433B96FB2616A8447703BFAE541DC2C
X-SSL: 1
X-SSL-Client-Verify: 0
X-SSL-Client-SHA1:
X-SSL-Client-DN:
X-SSL-Client-CN:
X-SSL-Issuer:
X-SSL-Client-Not-Before:
X-SSL-Client-Not-After:
X-Forwarded-Proto: https
X-Forwarded-For: ::ffff:192.168.12.171
Connection: close
您可以看到证书信息为空白。
我做错了吗?还有什么需要将证书传递给tomcat吗? 或者这可以使用AJP吗?
这是我的完整haproxy.cfg:
global
log 127.0.0.1 local4
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# ssl ciphers and options
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend https
mode http
bind :::443 ssl crt /opt/vasona/CA/private/sa_bundle.pem ca-file /opt/vasona/CA/certs/crtServer.crt verify optional
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
reqadd X-Forwarded-Proto:\ https
default_backend tomcat-mgmt
backend tomcat-mgmt
mode http
option tcp-smart-connect
server tomcat :8009
backend tomcat-cp-events
mode http
option tcp-smart-connect
server tomcat :23237
如果需要任何其他信息,请告诉我。 谢谢, 吉顿
答案 0 :(得分:0)
结果我使用了错误的证书文件作为ca文件。一旦使用正确的pem文件,证书信息就会正确传递到后端。