[英]Apache 2.4 SSL Config
I've got a question regarding ssl config for apache 2.4. 我有一个关于Apache 2.4的ssl配置的问题。 I got the following ssl settings for my vhost.
我的虚拟主机具有以下ssl设置。 There are more than 1 Directory but the config is mostly the same, only IPs are different.
目录不止1个,但配置基本相同,只是IP不同。 If I active the the three commented lines the apache should check the requests against the cert and not just pass the request through, correct?
如果我激活了三行注释,那么apache应该对照证书检查请求,而不仅仅是通过请求,对吗? I assume the apache breakts the encryption for all requests from the internet and re-encrypts again to pass the request on.
我假设apache破坏了来自互联网的所有请求的加密,然后再次重新加密以传递请求。 Am I right?
我对吗? Is there a way to not break the encryption and just delegate the cert checks to the next system?
有没有办法不破坏加密而只将证书检查委托给下一个系统?
RequestHeader set ClientProtocol HTTPS
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLProxyEngine On
SSLProxyProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
SSLCertificateFile /path/to/file.crt
SSLCertificateKeyFile /path/to/file.key
<Directory /folder-name>
#SSLVerifyClient optional_no_ca
#SSLVerifyDepth 1
#SSLOptions +OptRenegotiate +ExportCertData
ProxyPass https://10.20.30.40:8443/
ProxyPassReverse https://10.20.30.40:8443/
</Directory>
Thanks for your help guys and regards. 感谢您的帮助和问候。 Sebastian
塞巴斯蒂安
Yes, this Apache acting as a proxy terminates SSL. 是的,此充当代理的Apache终止SSL。 It then makes or reuses a pooled SSL connection to the backend.
然后,它建立或重新使用与后端的池化SSL连接。
There's no way to truly let the backend think it's handshaking with the client unless it accessed apache as a forward proxy using the mod_proxy_connect module. 除非它使用mod_proxy_connect模块将apache作为前向代理访问,否则无法真正让后端认为它与客户端握手。
Some application servers accept the body of the client certificate in a proprietary header, making that identity available in the backend server. 某些应用程序服务器在专有标头中接受客户端证书的主体,从而使该身份在后端服务器中可用。 But they are not actually authenticating it in the handshake like the proxy/apache has done.
但是他们实际上并没有像代理/ apache那样在握手中对它进行身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.