我成功配置了Apache 2.4作为代理服务器,可以对远程服务器进行身份验证:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
现在,我需要向第二台远程服务器引入身份验证,因此我将上述配置更改为这种方式:
httpd-ssl.conf
SSLProxyEngine on
SSLProxyMachineCertificatePath "C:/Apache24/conf/myClientCertsForWs/"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
ProxyPass /ws2/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 1>
在“ C:/ Apache24 / conf / myClientCertsForWs /”中,我放置了两个客户端证书,它们使用使用以下命令生成的哈希名称(54678734.0和77b3aaf4.0)重命名:
openssl x509 -hash -noout -in myClientCertForWs1.pem
openssl x509 -hash -noout -in myClientCertForWs2.pem
[不幸的是,此配置不起作用:Apache所使用的唯一证书是第一个证书,因此对第二个远程服务器的身份验证始终会失败;如果我从“ C:/ Apache24 / conf / myClientCertsForWs /”中删除第一个证书,它不会失败。
我发现的唯一可行的解决方案是配置2个VirtualHost,每个远程服务器一个:
httpd-ssl.conf
<VirtualHost _default_:9347>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
ProxyPass /ws1/ <HTTPS URL of remote service 1>
ProxyPassReverse /ws1/ <HTTPS URL of remote service 1>
[...]
</VirtualHost>
<VirtualHost _default_:9348>
[...]
SSLProxyEngine on
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
ProxyPass /ws2/ <HTTPS URL of remote service 2>
ProxyPassReverse /ws2/ <HTTPS URL of remote service 2>
[...]
</VirtualHost>
此解决方案需要使用2个端口而不是一个,我想避免使用它。
您能帮我吗?
<Proxy HTTPS URL of remote service 1>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs1.pem"
</Proxy>
<Proxy HTTPS URL of remote service 2>
SSLProxyMachineCertificateFile "C:/Apache24/conf/myClientCertForWs2.pem"
</Proxy>