通过Apache反向代理进行Spring Boot证书身份验证
[英]Spring Boot certificate authentication via Apache reverse proxy
问题描述
I have successfully configured Apache (2.4.7) to require a client certificate and -- as a reverse proxy -- forward the information within the certificate to a Tomcat 8 server. 
我已经成功配置了Apache(2.4.7)以要求客户端证书,并作为反向代理将证书中的信息转发到Tomcat 8服务器。
When trying to accomplish the same with Spring Boot however, it fails with 但是,当尝试使用Spring Boot完成相同操作时,它将失败
The proxy server received an invalid response from an upstream server
The proxy server could not handle the request GET /myapp
and returns a HTTP 502 error code. 并返回HTTP 502错误代码。
The relevant, working Tomcat configuration is: 相关的有效Tomcat配置为:
<Connector SSLEnabled="true" clientAuth="want" keyAlias="myalias"
keystoreFile="mystore.jks" keystorePass="mypassword" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" truststoreFile="mystore.jks" truststorePass="mypassword"/>
The relevant part of the Spring Boot application.properties file that won't work: Spring Boot application.properties文件的相关部分将不起作用:
server.context-path=/myapp
server.port=8443
server.ssl.enabled=true
server.use-forward-headers=true
server.ssl.protocol=TLS
server.ssl.client-auth=need
server.ssl.key-alias=myalias
server.ssl.key-store=/path/to/mykeystore.jks
server.ssl.key-store-password=mypassword
server.ssl.key-password=mypassword
server.ssl.trust-store=/path/to/mykeystore.jks
server.ssl.trust-store-password=mypassword
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.port-header=x-forwarded-port
Note, when accessing the app directly (ie requesting https://myapp.company.tld:12345/myapp ) it works just fine, but using the reverse proxy (ie https://proxy-load-balancer.company.tld:12345/myapp ) throws the error above. 请注意,当直接访问应用程序(即请求https://myapp.company.tld:12345 / myapp )时,它可以正常工作,但使用反向代理(即https://proxy-load-balancer.company.tld): 12345 / myapp )抛出以上错误。
The port difference (12345 vs the configured 8443) is due to an intermediate Docker layer: both the reverse proxy and the application runs in a container and their open ports (443 for Apache, 8443 for Tomcat/Spring Boot) are mapped to a different port, ie 12345. 端口差异(12345与配置的8443)是由于中间的Docker层引起的:反向代理和应用程序都在容器中运行,并且它们的开放端口(对于Apache是443,对于Tomcat / Spring Boot是8443)被映射到不同的端口端口,即12345。
1 个解决方案
解决方案1
0 已采纳 2017-06-28 09:47:28
Ok, so this all got sorted out. 好的,所有这些都整理了。 First, this Spring security setting 首先,此Spring安全设置
server.ssl.client-auth=need
will always force your embedded Tomcat to ask for a certificate, so in a client=>reverse proxy=>Tomcat situation you won't be able to authenticate unless maybe you use AJP, not sure about that. 总是会强制您的嵌入式Tomcat要求证书,因此在client => reverse proxy => Tomcat的情况下,除非您使用AJP,否则您将无法进行身份验证,对此不确定。
But it turned out that using 但事实证明,使用
server.ssl.client-auth=want
enables the further processing of your request and what people usually do is process the certificate at the reverse proxy level and forward some information to the backend server (Tomcat, Jetty, etc.). 启用对请求的进一步处理,人们通常要做的是在反向代理级别处理证书,并将一些信息转发到后端服务器(Tomcat,Jetty等)。
In the end the developers had to adapt their Spring Boot application to handle this latter mode of operation, ie extract data from the forwarded HTTP request's header and proceed with the authentication based on that. 最后,开发人员必须调整其Spring Boot应用程序以处理后一种操作模式,即从转发的HTTP请求的标头中提取数据,然后基于该标头进行身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.