Apache的mod_proxycallback到客户端证书的内容服务器

build立

ServerA运行HTTPS站点的Apache，需要连接一个客户端证书。请参阅以下有关/etc/apache2/sites-available/secure.site.conf和/etc/apache2/mods-available/ssl.conf的信息
ClientA ：使用客户端证书连接到ServerA的浏览器
ServerB上的代理 ：Apache充当转发代理，它应该能够使用客户端证书和服务器连接到ServerB，请参阅以下有关/etc/apache2/sites-available/forward.proxy.conf的信息
ClientB ：使用ServerB上的代理的浏览器可以访问ServerA上的内容，而不需要客户端证书。

状态

工作：客户端A -OK->服务器A
不工作：客户端B -OK->服务器B上的代理服务器-X->服务器A

替代解决scheme我发现SEnginx应该能够完成这项工作

http://www.senginx.org/en/index.php/Proxy_HTTPS_Client_Certificate

这是阿帕奇无法做到的情况下的后备…

日志文件

/var/log/apache2/proxy_8004_access.log all start with [Wed Nov 18 23:42:00.888597 2015] [proxy:debug] [pid 4374:tid 140546074822528] [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local [...] proxy_util.c(1848): AH00930: initialized pool in child 4374 for (*) min=0 max=25 smax=25 [...] proxy_util.c(1771): AH00925: initializing worker proxy:forward shared [...] proxy_util.c(1813): AH00927: initializing worker proxy:forward local [...] proxy_util.c(1848): AH00930: initialized pool in child 4373 for (*) min=0 max=25 smax=25 /var/log/apache2/secure.site_error.log all start with [Wed Nov 18 23:42:13.462770 2015] [core:trace6] [pid 4374:tid 140545817044736] [...] core_filters.c(527): [client 192.168.0.30:59423] core_output_filter: flushing because of FLUSH bucket [...] ssl_engine_kernel.c(1807): [client 192.168.0.30:59423] OpenSSL: Write: unknown state [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state [...] ssl_engine_kernel.c(1826): [client 192.168.0.30:59423] OpenSSL: Exit: error in unknown state [...] [client 192.168.0.30:59423] AH02008: SSL library error 1 in handshake (server secure.site:443) [...] SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification? [...] client 192.168.0.30:59423] AH01998: Connection closed to child 70 with abortive shutdown (server secure.site:443)

有关安装的详细信息

 Server A - Client Certificates creation mkdir -p /root/myCA/CA /root/myCA/server /root/myCA/user; cd /root/myCA; echo 01 > serial; touch index.txt #CA creation openssl genrsa -out /root/myCA/CA/myCA.key 1024 openssl req –new –key /root/myCA/CA/myCA.key –out /root/myCA/CA/myCA.csr input>Common Name (eg server FQDN or YOUR name) []:myCA openssl x509 -req -days 3650 -in /root/myCA/CA/myCA.csr -out /root/myCA/CA/myCA.crt -signkey /root/myCA/CA/myCA.key #SERVER cert creation openssl genrsa -des3 -out /root/myCA/server/secure.site.key 1024 input>password openssl req -new -key /root/myCA/server/secure.site.key -out /root/myCA/server/secure.site.csr input> Common Name (eg server FQDN or YOUR name) []:secure.site openssl ca -days 3650 -in /root/myCA/server/secure.site.csr -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/server/secure.site.crt -config /etc/ssl/openssl.cnf #clients cert creatin openssl genrsa -des3 -out /root/myCA/user/[email protected] 1024 input>password openssl req -new -key /root/myCA/user/[email protected] -out /root/myCA/user/[email protected] input >Common Name (eg server FQDN or YOUR name) []:Developers openssl ca -in /root/myCA/user/[email protected] -cert /root/myCA/CA/myCA.crt -keyfile /root/myCA/CA/myCA.key -out /root/myCA/user/[email protected] openssl x509 -in /root/myCA/user/[email protected] -text #export for usage in browser openssl pkcs12 -export -clcerts -in /root/myCA/user/[email protected] -inkey /root/myCA/user/[email protected] -out /root/myCA/user/[email protected] #concat file for proxy cat [email protected] [email protected] > [email protected] Server A /etc/apache2/sites-available/secure.site.conf (full file) <IfModule mod_ssl.c> <VirtualHost _default_:443> Servername secure.site DocumentRoot /var/www/secure.site/www LogLevel trace8 ssl:trace8 ErrorLog ${APACHE_LOG_DIR}/secure.site_error.log CustomLog ${APACHE_LOG_DIR}/secure.site_access.log combined SSLEngine on SSLCertificateFile /root/myCA/server/secure.site.crt SSLCertificateKeyFile /root/myCA/server/secure.site.key SSLCACertificateFile /root/myCA/CA/myCA.crt </VirtualHost> </IfModule> /etc/apache2/mods-available/ssl.conf (just infos what was added) added at the end SSLVerifyClient require SSLVerifyDepth 2 Server B /etc/apache2/sites-available/forward.proxy.conf listen 8004 <VirtualHost *:8004> ProxyRequests On ProxyVia On LogLevel trace8 ssl:trace8 ErrorLog ${APACHE_LOG_DIR}/proxy_8004_access.log CustomLog ${APACHE_LOG_DIR}/proxy_8004_error.log combined SSLCACertificateFile "/root/myCA/CA/myCA.crt" SSLProxyMachineCertificateFile "/root/myCA/user/[email protected]" </VirtualHost>