Configuration

可以使用 Lighttpd $HTTP“你我”_‘在rl’‘url’有條件地啟用 ssl.verifyclient.* 選項動態?

  • April 7, 2017

我應該為網站的單個端點啟用 ssl.verifyclient.* 選項,以繼續進行證書登錄或驗證。但它不起作用。

配置:

$HTTP["host"] =~ "^(.*\.|)example.com$"{    

   $SERVER["socket"] == ":443" {
       protocol     = "https://" 
       ssl.engine   = "enable" 
       ssl.disable-client-renegotiation = "disable" 

       #server.name = "example.com" 
       ssl.pemfile               = "/etc/lighttpd/ssl/example.com.pem" 
       ssl.ca-file               = "/etc/lighttpd/ssl/bundle-ca.pem" 

       ssl.honor-cipher-order = "enable" 
       #ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384" 
       #ssl.use-compression = "disable" 
       setenv.add-response-header = (
           "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
           "X-Frame-Options" => "DENY",
           "X-Content-Type-Options" => "nosniff" 
       )
       ssl.use-sslv2 = "enable" 
       ssl.use-sslv3 = "enable" 
       ssl.read-ahead = "enable" 
       #ssl.disable-client-renegotiation = "disable" 

       # It Works
       $HTTP["host"] == "ssl.example.com"{
           server.name = "ssl.example.com" 
           #ask for client cert
           ssl.verifyclient.activate   = "enable" 
           ssl.verifyclient.enforce    = "enable" 

           ssl.verifyclient.exportcert = "enable" 
           #ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
           ssl.verifyclient.depth      = 3
       }

       # It not Works
       $HTTP["url"] =~ "/backend/server/auth/ssl"  {
           #ask for client cert
           ssl.verifyclient.activate   = "enable" 
           ssl.verifyclient.enforce    = "disable" 

           ssl.verifyclient.exportcert = "enable" 
           #ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
           ssl.verifyclient.depth      = 10
       }
   }
}

是錯誤還是配置不匹配?

它不能工作。在將任何 HTTP 請求發送到伺服器之前協商 SSL。

在協商 SSL 連接時,客戶端使用 SSL 中的 SNI 功能發送虛擬主機名。客戶端驗證也在 SSL 連接協商期間發生。

只有在 SSL 會話建立後,客戶端才會向 Web 伺服器發送“GET /path/to/resource”請求。

您需要為整個域應用客戶端驗證。

引用自:https://serverfault.com/questions/843259