在 IIS6/7 中转发或导出客户端证书
目前,我们的程序在 JBoss 上运行,并位于 apache 反向代理后面。 Apache 负责验证客户端证书。我们在 apache 中设置了 +ExportCertData 选项,然后
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
在转发到 JBoss 之前将证书放入标头字段 SSL_CLIENT_CERT 中。然后,我们在 Jboss 中的应用程序读取证书,查找 subjectAltName 来获取电子邮件地址,我们使用该地址来节省用户输入电子邮件地址的步骤。
现在,我们将不得不生活在 IIS 后面,并且需要类似的功能这。我们真正关心的是从SubjectAltName 中提取电子邮件地址。在理想的情况下,IIS 将提供与 apache 相同的信息,因此我们不必过多修改应用程序代码。但如果不可能,其他选择也是不错的。
其他一些注意事项:
- 我们可能需要支持 IIS6 和 IIS7。如果有一种解决方案可以同时适用于两者,那就太好了,但不是必需的。
- 我们目前正在使用 IIRF 转发发送到某个虚拟目录的请求,但我有兴趣听到其他可以实现我们正在寻找的解决方案以及转发到我们的应用程序服务器。
- 仅仅将 apache 扔到 IIS 前面并不是一个解决方案,因为我们必须与使用 IIS 的其他程序共享这个盒子,而他们可能会对这样的解决方案保持警惕。另外,我们不能只在不同的端口上运行,因为防火墙限制只允许端口 80 和端口 443。
有什么想法可以实现这一点吗?如果我可以提供更多信息,请告诉我。
Currently, our program runs on JBoss and sits behind an apache reverse proxy. Apache handles verifying the client certificate. We have the +ExportCertData option set in apache, and then we use
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
to put the cert in the header field SSL_CLIENT_CERT before forwarding to JBoss. Our application in Jboss then reads the cert looking for the SubjectAltName to get the e-mail address, which we use to save the user a step in entering it in.
Now, we will have to live behind IIS, and will need similar functionality to this. What we really care about is extracting the email address from the SubjectAltName. In an ideal world, IIS would provide the same information as apache, so we wouldn't have to modify our application code too much. But if it's not possible, other options are good as well.
Some other notes:
- We will probably need to support IIS6 and IIS7. It would be nice to have one solution that works across both, but not necessary
- We are currently using IIRF to forward requests that go to a certain virtual directory, but I would be interested in hearing other solutions that could accomplish what we're looking for along with forwarding to our application server.
- Just throwing apache in front of IIS isn't going to be a solution because we have to share the box with other programs that use IIS and they might be wary of such a solution. Also, we can't just run on a different port because of firewall restrictions only allow port 80 and port 443.
Any ideas how to make this possible? Let me know if there's any more information I can provide.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论