Ssl

帶有自簽名證書的 Apache 反向代理

  • November 12, 2021

我執行一個帶有自簽名證書的 Unifi 硬體設備,該證書於unifi.local. 對於我目前的設置,由於多種原因,不能直接在設備上導入證書,因此我嘗試使用基於 apache2 的反向代理來擺脫瀏覽器的無效證書消息,該代理提供對設備的訪問權限另一個域,由 Letsencrypt 證書保護。

我目前的設置如下所示:

Laptop <-> Apache Reverse Proxy (2.4.48, Debian, trusted wildcard domain certificate) <-> Unifi appliance (self-signed certificate)

我的想法是提供一個名為unifi.mydomain.tld允許安全訪問設備的安全域。

在我的 apache 反向代理中,我創建並啟用了一個配置文件,如下所示:

<IfModule mod_ssl.c>
<VirtualHost *:443>
   Serveradmin root@home.lan"
   ServerName unifi.mydomain.tld

   SSLProxyEngine On
   SSLProxyVerify none
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
   SSLProxyCheckPeerExpire off

   ProxyPass "/" "https://10.0.1.1/"
   ProxyPassReverse "/" "https://10.0.1.1/"
   ProxyPreserveHost Off

   TransferLog /var/log/apache2/proxies/unifi_access.log
   ErrorLog /var/log/apache2/proxies/unifi_error.log

   <IfModule mod_headers.c>
       Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
   </IfModule>

   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
   SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384
   SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
   SSLOpenSSLConfCmd DHParameters /mnt/certificates/diffie-hellman/dhparam4096.pem
   SSLHonorCipherOrder on
   SSLCompression off
   SSLSessionTickets off

   SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
</VirtualHost>

# Originally from /etc/letsencrypt/options-ssl-apache.conf
# Written directly here because otherwise SSLProtocol etc is overwritten
# Add vhost name to log entries:
SSLOptions +StrictRequire
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

</IfModule>

但是,如果我訪問unifi.mydomain.tld,我的瀏覽器會返回證書,unifi.local而不是返回證書unifi.mydomain.tld,因此會產生證書不受信任的錯誤。提到了轉向 、 和 、 和 的幾個技巧SSLProxyVerifynone但是SSLProxyCheckPeerNameSSLProxyCheckPeerCN這些SSLProxyCheckPeerExpire技巧off都沒有奏效。我不能在我的反向代理伺服器上導入 Unifi 的自簽名蛇油證書。

我不確定 apache2 本身是否抱怨證書或返回錯誤的證書。如何通過瀏覽訪問設備unifi.mydomain.tld而不出現此證書錯誤?

這對我有用!

要求:

  1. Apache Tomcat on :8443 帶有自簽名密鑰
  2. 具有反向代理到 localhost:8443 Tomcat 的 Apache HTTPD
  3. Apache HTTPD需要客戶端相互身份驗證。如果這不是您的要求,則設置: SSLVerifyClient none
  4. Apache HTTPD 將通過反向代理將呼叫者的 X.509 身份傳遞給 tomcat。



ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
ProxyRequests On
ProxyPass /test1 https://localhost:8443/test/
ProxyPassReverse /test1 https://localhost:8443/test/
# SSL Settings for the DMZ
SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateKeyFile /home/jdoyle/sample_httpd_server_example_root_ca_.key
SSLCertificateFile /home/jdoyle/sample_httpd_server_example_root_ca_.cer
SSLCACertificateFile /home/jdoyle/consolidated_cacerts.cer
# SSL Settings for the Reverse Proxy
SSLProxyEngine on
SSLProxyVerify require
SSLProxyProtocol TLSv1.2
SSLProxyCheckPeerName off
SSLProxyCACertificateFile /home/jdoyle/consolidated_cacerts.cer
SSLVerifyClient require
SSLVerifyDepth  10
# Pass the SSL Conext on to tomcat

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
....

SSLOptions +ExportCertData +StrictRequire
....

筆記:

一種。SSLProxyCACertificateFile 用於 httpd<->tomcat 連接,包含 Tomcat 伺服器自簽名證書的公鑰。

灣。SSLCACertificateFile 用於 DMZ <-> httpd 連接,並且必須包含所有入站連接的 CA 證書。

引用自:https://serverfault.com/questions/1080951