Apache-2.2
Apache SSLVerifyClient - 排除一個 URL
我將 Apache 2.2 設置為反向代理。我的需要是對每個反向代理的 url 進行證書身份驗證,除了用於與智能手機同步郵件的一個 ( https://mailserver.com/Microsoft-Server-ActiveSync )。
以下是我如何配置 Apache 的代理部分:
ProxyRequests Off SSLProxyEngine On ProxyPass / https://internalserver/ ProxyPassReverse / https://internalserver/ <Proxy https://internalserver/Microsoft-Server-ActiveSync> SSLVerifyClient none </Proxy> SSLVerifyClient require SSLVerifyDepth 10
但是通過這種配置,Apache 也請求 Microsoft-Server-ActiveSync 的證書……有沒有辦法從證書請求中排除該 URL?
我是按照在 Internet 上找到的本指南製作的:http: //doc.nuxeo.com/display/ADMINDOC58/Configuring+a+Reverse+Proxy+to+Work+with+Live+Edit+and+Client+Certificate+Authentication
我不得不使用 ProxyMatch 指令和一些正則表達式的鬥爭:
ProxyRequests Off SSLProxyEngine On ProxyPass / https://internalserver/ ProxyPassReverse / https://internalserver/ SSLCACertificateFile /etc/pki/tls/certs/localhost.crt SSLOptions +stdEnvVars #Certificate access for all URLs except ActiveSync <ProxyMatch ^(https\:\/\/internalserver\/(?!(Microsoft-Server-ActiveSync)))> SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 </ProxyMatch>