带码头和空密码的双向SSL
[英]Two Way SSL with Jetty and Null Cipher
问题描述
I have an application running in Jetty. 
我有一个在Jetty中运行的应用程序。 In front of it, I have a load balancer. 在它的前面,我有一个负载平衡器。 The requirement is to have SSL decryption done by the load balancer while the web container does only SSL client authentication. 要求是由负载均衡器完成SSL解密,而Web容器仅执行SSL客户端身份验证。
The theory is that the load balancer is very efficient at decrypting the content and can do that and pass it in plain to the web container. 从理论上讲,负载均衡器在解密内容方面非常有效,并且可以做到这一点,然后将其简单地传递到Web容器。
Any idea how this can be achieved? 知道如何实现吗?
1 个解决方案
解决方案1
6 已采纳 2012-07-28 01:49:18
It's not clear what you mean by "Null Cipher" in your title. 目前尚不清楚标题中“空密码”的含义。 There are 3 possible candidates : TLS_NULL_WITH_NULL_NULL , TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA . 有3种可能的候选对象 : TLS_NULL_WITH_NULL_NULL , TLS_RSA_WITH_NULL_MD5和TLS_RSA_WITH_NULL_SHA 。 The first one doesn't perform any authentication, none of them offer any encryption. 第一个不执行任何身份验证,它们都不提供任何加密。 They're certainly useless for your objective. 它们对您的目标毫无用处。 Use normal cipher suites (with both authentication and encryption) between the browser and the load-balancer. 在浏览器和负载平衡器之间使用普通的密码套件(具有身份验证和加密功能)。 Encryption between the load-balancer and the worker nodes is generally optional, and only required if you don't trust the network where they site (this would be a completely different SSL/TLS connection anyway and have nothing to do with the client-certificate authentication done by the end browser). 负载平衡器和辅助节点之间的加密通常是可选的,并且仅在您不信任它们所在的网络时才需要(无论如何这将是完全不同的SSL / TLS连接,并且与客户端证书无关)身份验证由最终浏览器完成)。
Only the SSL/TLS server can request (and verify) client-certificate authentication. 仅SSL / TLS服务器可以请求(并验证)客户端证书身份验证。 In this case this will be the load balancer. 在这种情况下,它将是负载平衡器。
If you want to have your SSL/TLS traffic handled by your load balancer, it should verify the certificate (presumably against a CA you have configured), and then relay the certificate information to the worker nodes. 如果要由负载均衡器处理SSL / TLS流量,则它应验证证书(大概是针对您已配置的CA),然后将证书信息中继到工作节点。
How you do this will depend on the load-balancer. 如何执行此操作将取决于负载平衡器。 If it's an Apache Httpd server, mod_proxy_ajp will relay the client certificate via the AJP protocol ( SSLOptions +ExportCertData +StdEnvVars ). 如果是Apache Httpd服务器,则mod_proxy_ajp将通过AJP协议( SSLOptions +ExportCertData +StdEnvVars )中继客户端证书。 mod_jk is also able to relay the full client-certificate chain if needed ( JkOptions +ForwardSSLCertChain ). 如果需要, mod_jk还可以中继完整的客户端证书链( JkOptions +ForwardSSLCertChain )。
If you want to use mod_proxy_http , a trick is to pass the certificate via an HTTP header ( mod_header ), using something like RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s . 如果要使用mod_proxy_http ,一个诀窍是使用诸如RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s类的东西通过HTTP头( mod_header )传递证书。 You should make sure this header is cleared if it comes from the client's browser (who could forge it otherwise). 您应该确保清除此标头(如果它来自客户端的浏览器)(否则可以伪造)。 In this case, you'll need to write a filter as part of your Jetty server to handle that header an place it into the javax.servlet.request.X509Certificate HttpServletRequest attribute (it should be an array of X509Certificate ). 在这种情况下,您需要在Jetty服务器中编写一个过滤器来处理该标头,然后将其放入javax.servlet.request.X509Certificate HttpServletRequest属性(它应该是X509Certificate的数组)。 After this, you should be more or less at the same stage as what you would have with AJP. 此后,您应该与AJP处于大致相同的阶段。 This may also work with other load balancers if they're capable of populating an HTTP header in a similar way. 如果其他负载均衡器能够以类似方式填充HTTP标头,则这也可能适用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.