Configuration
可以使用 Lighttpd $HTTP“你我”_‘在rl’‘url’有條件地啟用 ssl.verifyclient.* 選項動態?
我應該為網站的單個端點啟用 ssl.verifyclient.* 選項,以繼續進行證書登錄或驗證。但它不起作用。
配置:
$HTTP["host"] =~ "^(.*\.|)example.com$"{ $SERVER["socket"] == ":443" { protocol = "https://" ssl.engine = "enable" ssl.disable-client-renegotiation = "disable" #server.name = "example.com" ssl.pemfile = "/etc/lighttpd/ssl/example.com.pem" ssl.ca-file = "/etc/lighttpd/ssl/bundle-ca.pem" ssl.honor-cipher-order = "enable" #ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384" #ssl.use-compression = "disable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) ssl.use-sslv2 = "enable" ssl.use-sslv3 = "enable" ssl.read-ahead = "enable" #ssl.disable-client-renegotiation = "disable" # It Works $HTTP["host"] == "ssl.example.com"{ server.name = "ssl.example.com" #ask for client cert ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "enable" ssl.verifyclient.exportcert = "enable" #ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" ssl.verifyclient.depth = 3 } # It not Works $HTTP["url"] =~ "/backend/server/auth/ssl" { #ask for client cert ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "disable" ssl.verifyclient.exportcert = "enable" #ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" ssl.verifyclient.depth = 10 } } }
是錯誤還是配置不匹配?
它不能工作。在將任何 HTTP 請求發送到伺服器之前協商 SSL。
在協商 SSL 連接時,客戶端使用 SSL 中的 SNI 功能發送虛擬主機名。客戶端驗證也在 SSL 連接協商期間發生。
只有在 SSL 會話建立後,客戶端才會向 Web 伺服器發送“GET /path/to/resource”請求。
您需要為整個域應用客戶端驗證。