Ssl
帶有自簽名證書的 Apache 反向代理
我執行一個帶有自簽名證書的 Unifi 硬體設備,該證書於
unifi.local
. 對於我目前的設置,由於多種原因,不能直接在設備上導入證書,因此我嘗試使用基於 apache2 的反向代理來擺脫瀏覽器的無效證書消息,該代理提供對設備的訪問權限另一個域,由 Letsencrypt 證書保護。我目前的設置如下所示:
Laptop <-> Apache Reverse Proxy (2.4.48, Debian, trusted wildcard domain certificate) <-> Unifi appliance (self-signed certificate)
我的想法是提供一個名為
unifi.mydomain.tld
允許安全訪問設備的安全域。在我的 apache 反向代理中,我創建並啟用了一個配置文件,如下所示:
<IfModule mod_ssl.c> <VirtualHost *:443> Serveradmin root@home.lan" ServerName unifi.mydomain.tld SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass "/" "https://10.0.1.1/" ProxyPassReverse "/" "https://10.0.1.1/" ProxyPreserveHost Off TransferLog /var/log/apache2/proxies/unifi_access.log ErrorLog /var/log/apache2/proxies/unifi_error.log <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" </IfModule> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384 SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 SSLOpenSSLConfCmd DHParameters /mnt/certificates/diffie-hellman/dhparam4096.pem SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem </VirtualHost> # Originally from /etc/letsencrypt/options-ssl-apache.conf # Written directly here because otherwise SSLProtocol etc is overwritten # Add vhost name to log entries: SSLOptions +StrictRequire LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common </IfModule>
但是,如果我訪問
unifi.mydomain.tld
,我的瀏覽器會返回證書,unifi.local
而不是返回證書unifi.mydomain.tld
,因此會產生證書不受信任的錯誤。提到了轉向 、 和 、 和 的幾個技巧SSLProxyVerify
,none
但是SSLProxyCheckPeerName
,SSLProxyCheckPeerCN
這些SSLProxyCheckPeerExpire
技巧off
都沒有奏效。我不能在我的反向代理伺服器上導入 Unifi 的自簽名蛇油證書。我不確定 apache2 本身是否抱怨證書或返回錯誤的證書。如何通過瀏覽訪問設備
unifi.mydomain.tld
而不出現此證書錯誤?
這對我有用!
要求:
- Apache Tomcat on :8443 帶有自簽名密鑰
- 具有反向代理到 localhost:8443 Tomcat 的 Apache HTTPD
- Apache HTTPD需要客戶端相互身份驗證。如果這不是您的要求,則設置: SSLVerifyClient none
- Apache HTTPD 將通過反向代理將呼叫者的 X.509 身份傳遞給 tomcat。
ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn ProxyRequests On ProxyPass /test1 https://localhost:8443/test/ ProxyPassReverse /test1 https://localhost:8443/test/ # SSL Settings for the DMZ SSLEngine on SSLProtocol TLSv1.2 SSLCipherSuite HIGH:!aNULL:!MD5:!SEED:!IDEA SSLCertificateKeyFile /home/jdoyle/sample_httpd_server_example_root_ca_.key SSLCertificateFile /home/jdoyle/sample_httpd_server_example_root_ca_.cer SSLCACertificateFile /home/jdoyle/consolidated_cacerts.cer # SSL Settings for the Reverse Proxy SSLProxyEngine on SSLProxyVerify require SSLProxyProtocol TLSv1.2 SSLProxyCheckPeerName off SSLProxyCACertificateFile /home/jdoyle/consolidated_cacerts.cer SSLVerifyClient require SSLVerifyDepth 10 # Pass the SSL Conext on to tomcat RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s" RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s" RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s" RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s" RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s" .... SSLOptions +ExportCertData +StrictRequire ....
筆記:
一種。SSLProxyCACertificateFile 用於 httpd<->tomcat 連接,包含 Tomcat 伺服器自簽名證書的公鑰。
灣。SSLCACertificateFile 用於 DMZ <-> httpd 連接,並且必須包含所有入站連接的 CA 證書。