Apache-2.2

Apache SSLVerifyClient - 排除一個 URL

  • January 8, 2015

我將 Apache 2.2 設置為反向代理。我的需要是對每個反向代理的 url 進行證書身份驗證,除了用於與智能手機同步郵件的一個 ( https://mailserver.com/Microsoft-Server-ActiveSync )。

以下是我如何配置 Apache 的代理部分:

ProxyRequests Off
SSLProxyEngine On
ProxyPass    /     https://internalserver/
ProxyPassReverse    /     https://internalserver/

<Proxy https://internalserver/Microsoft-Server-ActiveSync>
SSLVerifyClient none
</Proxy>


SSLVerifyClient require
SSLVerifyDepth 10

但是通過這種配置,Apache 也請求 Microsoft-Server-ActiveSync 的證書……有沒有辦法從證書請求中排除該 URL?

我是按照在 Internet 上找到的本指南製作的:http: //doc.nuxeo.com/display/ADMINDOC58/Configuring+a+Reverse+Proxy+to+Work+with+Live+Edit+and+Client+Certificate+Authentication

我不得不使用 ProxyMatch 指令和一些正則表達式的鬥爭:

ProxyRequests Off
SSLProxyEngine On
ProxyPass / https://internalserver/
ProxyPassReverse / https://internalserver/
SSLCACertificateFile /etc/pki/tls/certs/localhost.crt
SSLOptions +stdEnvVars

#Certificate access for all URLs except ActiveSync
<ProxyMatch ^(https\:\/\/internalserver\/(?!(Microsoft-Server-ActiveSync)))>
 SSLRequireSSL
 SSLVerifyClient require
 SSLVerifyDepth 10
</ProxyMatch>

引用自:https://serverfault.com/questions/657887