集中传出双向 SSL 连接

发布于 2024-10-17 16:14:43 字数 346 浏览 5 评论 0原文

我们目前正在使用 Apache 来处理传入的 SSL 请求。这些是双向 SSL 连接。 Apache 接受 https 连接并将请求作为 http 连接传递到应用程序服务器。这对我们来说效果很好。

我们希望对传出双向 SSL 连接使用相同类型的集中式机制。有没有办法用 Apache 或其他产品来做到这一点?让事情变得复杂的是,识别客户端所需的客户端证书可能会因目的地而异。

简而言之: - 内部客户端通过 http 连接到 Apache 或其他产品。 - Apache 或其他产品根据规则 (?) 知道需要双向 ssl 连接,并与目标进行设置。 - 根据目的地,发送正确的证书来识别我们的客户。

问候,

尼德基尔

We are currently using Apache to handle incoming SSL requests. These are two-way SSL connections. Apache accepts the https connection and pass the request on as http connection to the application server. This works well for us.

We would like to use the same kind of centralized mechanism for outgoing two-way SSL connections. Is there a way do this with Apache or another product? To complicate things the client certificate needed to identify out client can vary depending on the destination.

In short:
- Internal clients connect through http to Apache or another product.
- Apache or another product knows based on a rule (?) that a two-way ssl connection is required and sets this up with the destination.
- Depending on the destination the correct certificate is sent to identify our client.

Regards,

Nidkil

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

心的憧憬 2024-10-24 16:14:43

你所说的当然是 HTTP 代理服务器。在第一个场景中,您将其用作透明代理,为一组网页的连接提供 SSL 支持。在第二种情况下,您希望使用它代表使用 HTTP 的客户端提供与仅安全页面的连接。

您可以使用免费且开源的 Squid 代理来完成此操作,前提是您的计算机位于客户端和 Internet 之间。寻找“SSLBump”。您确实需要一个客户端认为对要访问的所有网页有效的证书(否则他们会注意到您在做什么,这基本上是中间人攻击)。

然而,我强烈建议不要这样做——如果一个网站需要 SSL,那么它这样做很可能是有原因的。让内部客户连接到网上银行网站并让您降低其加密以便您可以监控其流量或其他任何内容,几乎可以肯定可以......

What you're talking about is, or course, an HTTP proxy server. In the first scenario you are using it as a transparent proxy to provide SSL support for connections to a set of web pages. In the second scenario you want to use it to provide connections to secure-only pages on behalf of clients speaking HTTP.

You can do this with the Squid proxy, which is free and open-source, provided that your machine sits between the clients and the Internet. Look for "SSLBump". You do need a certificate which the clients would consider valid for all web pages to be accessed (otherwise they will notice what you are doing, which is basically a man-in-the-middle attack).

However, I would strongly recommend against this - if a site requires SSL, it is likely to do so for a reason. It is almost certainly not OK to have internal clients connecting to an online banking site and have you bumping down their encryption so that you can monitor their traffic or whatever...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文