HAProxy - 将客户端证书转发到后端 HashiCorp Vault 服务器
[英]HAProxy - Forwarding Client Certificate to backend HashiCorp Vault servers
问题描述
I've been trying for about a week to setup a HashiCorp Vault environment, but have gotten stuck at setting up the last part: HAProxy, as I am unable to forward my Client Certificate to my backend.
我已经尝试了大约一个星期来设置 HashiCorp Vault 环境,但在设置最后一部分时陷入困境:HAProxy,因为我无法将我的客户端证书转发到我的后端。
My current setup on the HAProxy is this:我当前在 HAProxy 上的设置是这样的:
frontend vaultfrontend
mode http
bind *:8200 ssl crt /home/administrator/tls.crt verify none
redirect scheme https code 301 if !{ ssl_fc }
default_backend vaultbackend
backend vaultbackend
mode http
timeout check 5s
option httpchk
http-check connect ssl
http-check send meth GET uri /v1/sys/health
http-check expect status 200
server a.vault a.vault.test.local:8200 ssl verify none check
server b.vault b.vault.test.local:8200 ssl verify none check
server c.vault c.vault.test.local:8200 ssl verify none check
My backend vault servers are running SSL with Windows CA signed certificates, and works just fine through their respective URLS.我的后端保险库服务器正在运行 SSL 和 Windows CA 签名证书,并且通过它们各自的 URLS 工作得很好。 The HAProxy has a signed certificate allowing people to connect to it via this URL: https://vault.test.local:8200 , which works as expected. HAProxy 有一个签名证书,允许人们通过这个 URL: https://vault.test.local:8200连接到它,它按预期工作。
The issue arises when I try to access the Vaults via HashiCorp Vault's Cert Auth authentication method.当我尝试通过 HashiCorp Vault 的 Cert Auth 身份验证方法访问 Vault 时,问题就出现了。 Whenever I try to authenticate via https://vault.test.local:8200 which is the HAProxy, I get an error message saying there's a lack of Client Certificate in the request: ({"errors":["client certificate must be supplied"]})'每当我尝试通过https://vault.test.local:8200 (即 HAProxy)进行身份验证时,我都会收到一条错误消息,指出请求中缺少客户端证书: ({"errors":["client certificate must be supplied"]})'
It however works perfectly fine if I directly target my Vault servers instead.但是,如果我直接以我的 Vault 服务器为目标,它就可以正常工作。
I've tried to edit the config to include this: http-request set-header X-Client-Cert %{+Q}[ssl_c_der,base64] with different variations, but it changes nothing.我试图编辑配置以包括此: http-request set-header X-Client-Cert %{+Q}[ssl_c_der,base64]具有不同的变体,但它没有任何改变。 It really seems to me like HAProxy for whatever reason will not take my X-Client-Certificate being sent from my VaultSharp application (C#) and forward it.在我看来,无论出于何种原因,HAProxy 都不会接受从我的 VaultSharp 应用程序 (C#) 发送的 X-Client-Certificate 并转发它。
Does anyone have a setup like this that works, or at least have any idea what the issue might be?有没有人有像这样有效的设置,或者至少知道问题可能出在哪里?
1 个解决方案
解决方案1
0 已采纳 2022-11-20 13:09:30
I finally got it solved, the issue is that performing SSL-Termination with HAProxy will always cause a Client Certificate to get lost (at least from all the things I ended up trying..)我终于解决了这个问题,问题是使用 HAProxy 执行 SSL 终止总是会导致客户端证书丢失(至少从我最终尝试的所有事情来看是这样……)
The solution is to do SSL-Passthrough instead, and the Client Certificate will be read by the Vault environment correctly.解决方案是改用 SSL-Passthrough,客户端证书将被 Vault 环境正确读取。
It would look something like this:它看起来像这样:
frontend vaultfrontend
mode tcp
bind *:8200
redirect scheme https code 301 if !{ ssl_fc }
default_backend vaultbackend
backend vaultbackend
mode tcp
timeout check 5s
option httpchk
http-check connect ssl
http-check send meth GET uri /v1/sys/health
http-check expect status 200
server a.vault a.vault.test.local:8200 ssl verify none check
server b.vault b.vault.test.local:8200 ssl verify none check
server c.vault c.vault.test.local:8200 ssl verify none check
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.