使用mod_ssl的Elastic Stack 6.8 Apache 2.4.6
尝试利用ES 6.8及更高版本中包含的功能。我将Apache设置为具有智能卡身份验证的反向代理。该基本设置非常有效。用户导航到https example.com,并在提示输入他们的智能卡密码时,它将成功将其重定向到带有kibana用户名/密码屏幕的kibana界面。
如果我试图限制谁可以使用智能卡登录,似乎它也尝试登录Kibana(肯定会是一个奖励)。我在浏览器上收到了预期用户的此消息。如果未列出该用户,则会收到一条反映该消息的消息。
statusCode: 401
error: "Unauthorized"
message "[security_exception] unable to authenticate user [/common name/ou/etc/of/authorized/user] for REST request [/_xpack/security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security"\\\"\ & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"
在kibana或elasticsearch中,没有任何与此相关的日志。我的Apache client_client_access日志显示3个事件。包括专有名称
GET / HTTP/1.1 380
GET /favicon.ico HTTP/1.1 380
然后此条目不使用专有名称
GET /favicon.ico HTTP/1.1 -
有关信息日志级别的Apache error_log显示。
(client IP) - AH01964 Connection to child 3 established (server example.com:443)
-2秒后-
(client IP) - AH02221: Requesting connection re-negotiation
(client IP) - AH02226: Awaiting re-negotiation handshake
-4秒后-
(client IP) - AH02036: Faking HTTP Basic Auth header: "Authorization: Basic --long string--"
(server IP) - AH01964: Connection to child 0 established (server
example:com:443)
(client IP) - AH02036: Faking HTTP Basic Auth header: "Authorization: Basic --same long string--"
(server IP) - AH01964: Connection to child 0 established (server example:com:443)
(client IP) - AH01964 Connection to child 7 established (server example.com:443)
(client IP) - AH02221: Requesting connection re-negotiation
(client IP) - AH02226: Awaiting re-negotiation handshake
(client IP) - AH02226: Re-negotiation handshake failed
(client IP) - AH01998: Connection closed to child 7 with abortive shutdown (server example:com:443)
(client IP) - AH01382: Request header read timeout
(client IP) - AH01991: SSL input filter read failed
我的Apache虚拟主机配置看起来像这样。
<VirtualHost example.com:443>
ServerAdmin Me
ServerName example.com
DocumentRoot "/var/www"
#activate HTTPS on the reverse proxy
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/chainfile.pem
#activate the client certificate authentication
SSLCACertificateFile /etc/pki/tls/chainfile.pem
SSLCARevocationPath /etc/pki/tls/certs/CRL
CustomLog logs/client_access_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN}x %r %b"
<location />
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
SSLUserName SSL_Client_S_DN
#Initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_CN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""
#add all the SSL you need in the internal web applications
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass https://example.com:5601
ProxyPassReverse https://example.com:5601
AuthName "Restricted Access"
AuthType Basic
AuthBasicProvider file
AuthUserFile /etc/httpd/userlist.txt
Require valid-user
</location>
<proxy *>
AddDefaultCharset Off
Require all granted
</proxy>
</VirtualHost>
如果我注释掉所有RequestHeader项,则不会给我带来任何不同。
我正在尝试至少允许智能卡登录到所需用户。更好的是,我可以将所需的用户信息传递给Kibana并让他们登录并获得所需的权限。