apache mod_proxy chama de volta ao servidor de conteúdo com certificado de cliente

1

Configuração

  • ServerA Apache executando um site HTTPS, que requer um certificado de cliente para se conectar. veja as informações abaixo sobre /etc/apache2/sites-available/secure.site.conf e /etc/apache2/mods-available/ssl.conf

  • ClientA : Navegador se conectando ao ServerA usando um certificado de cliente

  • Proxy no ServerB : Apache atuando como um proxy de encaminhamento, que deve ser capaz de se conectar ao ServerB usando um certificado de cliente e servidor, veja as informações abaixo sobre / etc / apache2 / sites-available /forward.proxy.conf

  • ClientB : Navegador usando proxy no ServerB para acessar o conteúdo no ServerA sem a necessidade de um certificado de cliente.

Status

  • TRABALHO: cliente A -OK- > Servidor A
  • NÃO está funcionando: cliente B -OK- > Proxy no ServerB -X- > Servidor A

Soluções alternativas Eu encontrei o SEnginx que deveria ser capaz de fazer o trabalho

Este é um substituto no caso do Apache não ser capaz de fazer isso ...

Arquivos de log

/var/log/apache2/proxy_8004_access.log
    all start with [Wed Nov 18 23:42:00.888597 2015] [proxy:debug] [pid 4374:tid 140546074822528] 
    [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
    [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
    [...] proxy_util.c(1848): AH00930: initialized pool in child 4374 for (*) min=0 max=25 smax=25
    [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared
    [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local
    [...] proxy_util.c(1848): AH00930: initialized pool in child 4373 for (*) min=0 max=25 smax=25

/var/log/apache2/secure.site_error.log  
    all start with [Wed Nov 18 23:42:13.462770 2015] [core:trace6] [pid 4374:tid 140545817044736] 
    [...] core_filters.c(527): [client 192.168.0.30:59423] core_output_filter: flushing because of FLUSH bucket
    [...] ssl_engine_kernel.c(1807): [client 192.168.0.30:59423] OpenSSL: Write: unknown state
    [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
    [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state
    [...] [client 192.168.0.30:59423] AH02008: SSL library error 1 in handshake (server secure.site:443)
    [...] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?
    [...] client 192.168.0.30:59423] AH01998: Connection closed to child 70 with abortive shutdown (server secure.site:443)

Detalhes sobre a configuração

Server A - Client Certificates creation

mkdir -p /root/myCA/CA /root/myCA/server /root/myCA/user; cd /root/myCA; echo 01 > serial; touch index.txt

#CA creation
openssl genrsa -out /root/myCA/CA/myCA.key 1024
openssl req –new –key /root/myCA/CA/myCA.key –out /root/myCA/CA/myCA.csr
 input>Common Name (e.g. server FQDN or YOUR name) []:myCA
openssl x509 -req -days 3650 -in /root/myCA/CA/myCA.csr -out /root/myCA/CA/myCA.crt -signkey /root/myCA/CA/myCA.key
#SERVER cert creation
openssl genrsa -des3 -out /root/myCA/server/secure.site.key 1024
input>password
openssl req -new -key /root/myCA/server/secure.site.key -out /root/myCA/server/secure.site.csr
 input> Common Name (e.g. server FQDN or YOUR name) []:secure.site
openssl ca -days 3650 -in /root/myCA/server/secure.site.csr -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/server/secure.site.crt -config /etc/ssl/openssl.cnf
#clients cert creatin
openssl genrsa -des3 -out /root/myCA/user/[email protected] 1024
 input>password
openssl req -new -key /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
 input >Common Name (e.g. server FQDN or YOUR name) []:Developers
openssl ca -in /root/myCA/user/[email protected] -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/user/[email protected]
openssl x509 -in /root/myCA/user/[email protected] -text
#export for usage in browser 
openssl pkcs12 -export -clcerts -in /root/myCA/user/[email protected] -inkey /root/myCA/user/[email protected] -out /root/myCA/user/[email protected]
#concat file for proxy
cat [email protected] [email protected] > [email protected]


Server A    /etc/apache2/sites-available/secure.site.conf (full file)
                <IfModule mod_ssl.c>
                    <VirtualHost _default_:443>
                        Servername secure.site
                        DocumentRoot /var/www/secure.site/www

                        LogLevel trace8 ssl:trace8
                        ErrorLog ${APACHE_LOG_DIR}/secure.site_error.log
                        CustomLog ${APACHE_LOG_DIR}/secure.site_access.log combined

                        SSLEngine on
                        SSLCertificateFile      /root/myCA/server/secure.site.crt
                        SSLCertificateKeyFile   /root/myCA/server/secure.site.key
                        SSLCACertificateFile    /root/myCA/CA/myCA.crt
                    </VirtualHost>
                </IfModule>

            /etc/apache2/mods-available/ssl.conf (just infos what was added)
                added at the end
                    SSLVerifyClient require
                    SSLVerifyDepth 2

 Server B   /etc/apache2/sites-available/forward.proxy.conf 
                listen 8004
                <VirtualHost *:8004>
                        ProxyRequests On
                        ProxyVia On

                        LogLevel trace8 ssl:trace8
                        ErrorLog ${APACHE_LOG_DIR}/proxy_8004_access.log
                        CustomLog ${APACHE_LOG_DIR}/proxy_8004_error.log combined

                        SSLCACertificateFile "/root/myCA/CA/myCA.crt"
                        SSLProxyMachineCertificateFile "/root/myCA/user/[email protected]"
                </VirtualHost>
    
por Marco 18.11.2015 / 14:09

0 respostas