Apache HTTPD를 사용한 인증
목차
이 짧은 기사에서는 Apache HTTPD를 사용한 클라이언트 인증에 대해 설명합니다.
표준 인증과 상호 인증
Standard authentication (also known as one-way SSL authentication) is an authentication protocol in which only the client verifies the server certificate. Mutual authentication (two-way SSL authentication), on the other hand, is the authentication protocol in which two parties authenticate each other. It is the default mode of authentication in some protocols (such as IKE, SSH) and optional in some others (such as TLS).
표준(단방향) SSL 인증
서버 측
요구 사항
서버 측
요구 사항
인증서 준비
Here, only a summary of certificate preparation steps provided. You can find many detailed documents about this process on the internet. Note that self-signed certificates are only for test purposes. Using them at production is discouraged.
아파치 HTTPD 구현
# SSL CONFIGURATION – SERVER SIDE
# Enable the single way SSL authentication
SSLEngine on
# Apache client CA certificate
SSLCertificateFile "/etc/httpd/conf/server-cert.pem"
# Apache client CA certificate private key file
SSLCertificateKeyFile "/etc/httpd/conf/server-key.key"
# END OF SSL CONFIGURATION – SERVER SIDE
클라이언트 측(프록시)
클라이언트 측에서 취해야 할 특별한 조치는 없습니다.
양방향(상호) SSL 인증
서버 측
요구 사항
인증서 준비
Here, only a summary of certificate preparation steps provided. You can find many detailed documents about this process on the internet. Note that self-signed certificates are only for test purposes. Using them at production is discouraged.
아파치 HTTPD 구현
# SSL CONFIGURATION – SERVER SIDE
# Enable the single way SSL authentication
SSLEngine on
# Apache client CA certificate
SSLCertificateFile "/etc/httpd/conf/server-cert.pem"
# Apache client CA certificate private key file
SSLCertificateKeyFile "/etc/httpd/conf/server-key.key"
# END OF SSL CONFIGURATION – SERVER SIDE
클라이언트 측(프록시)
요구 사항
인증서 준비
CN is very important here. Check the sample below. CN is provided by the server as 'partner-domain'.
Country Name (2 letter code) [XX]:TR
State or Province Name (full name) []:Marmara
Locality Name (eg, city) [Default City]:Istanbul
Organization Name (eg, company) [Default Company Ltd]:Telenity
Organizational Unit Name (eg, section) []:Telenity
Common Name (eg, your name or your server's hostname) []:partner-domain
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Apache HTTPD only supports keys encoded in PKCS1 RSA, DSA or EC formats. Keys encoded in PKCS8 format (ie. starting with "-----BEGIN PRIVATE KEY-----") must be converted to a supported format.
아파치 HTTPD 구현
The order of the key and the certificate does not matter. Two restrictions are
1. RSA key must be used
2. The merged file name must denote that it contains both the key and the certificate.
# SSL CONFIGURATION – CLIENT SIDE
# Enable SSL Client on this virtualhost (the traffic to the backends can be encrypted)
SSLProxyEngine on
# It’s mandatory for apache to authenticate the backends’ certificate.
SSLProxyVerify require
# Specify the depth of the check if the certificate has an CA approval
SSLVerifyDepth 10
# If CN and hostname will not match below configs must be off. Default values are on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
# Apache client CA certificate (certificate of who released your client certificate)
SSLProxyMachineCertificateFile "/etc/httpd/conf/partner-domain-includekey.pem"
# Backends’ CA certificates (list of certificates of who released your backends’ certificates)
SSLProxyCACertificateFile "/etc/httpd/conf/thirdparty-cert-provided-by-server.cert.pem"
# END OF SSL CONFIGURATION – CLIENT SIDE
Refer to the official Apache documentation at https://httpd.apache.org/docs/current/mod/mod_ssl.html.
ProxyPass /secureendpoint https://api.partner-domain/secureapi
ProxyPassReverse /secureendpoint https://api.partner-domain/secureapi
Reference
이 문제에 관하여(Apache HTTPD를 사용한 인증), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/rdemirkoparan/authentication-using-apache-httpd-2imo텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)