我应该为网站的单个terminal启用ssl.verifyclient。*选项,以继续证书login或validation。 但它不工作。
$HTTP["host"] =~ "^(.*\.|)example.com$"{ $SERVER["socket"] == ":443" { protocol = "https://" ssl.engine = "enable" ssl.disable-client-renegotiation = "disable" #server.name = "example.com" ssl.pemfile = "/etc/lighttpd/ssl/example.com.pem" ssl.ca-file = "/etc/lighttpd/ssl/bundle-ca.pem" ssl.honor-cipher-order = "enable" #ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384" #ssl.use-compression = "disable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" ) ssl.use-sslv2 = "enable" ssl.use-sslv3 = "enable" ssl.read-ahead = "enable" #ssl.disable-client-renegotiation = "disable" # It Works $HTTP["host"] == "ssl.example.com"{ server.name = "ssl.example.com" #ask for client cert ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "enable" ssl.verifyclient.exportcert = "enable" #ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" ssl.verifyclient.depth = 3 } # It not Works $HTTP["url"] =~ "/backend/server/auth/ssl" { #ask for client cert ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "disable" ssl.verifyclient.exportcert = "enable" #ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" ssl.verifyclient.depth = 10 } } } 这是一个错误或不匹配的configuration?
它不能工作。 在任何HTTP请求被发送到服务器之前,协商SSL。
在协商SSL连接时,客户端使用SSL中的SNIfunction发送虚拟主机名。 客户端validation也在SSL连接协商期间发生。
只有在SSL会话build立之后,客户端才会向Web服务器发送“GET / path / to / resource”请求。
您需要为整个域应用客户端validation。