0

我已经在不同的 AWS 实例中设置了两个 esb 服务器(集群),并且我正在使用 Apache LB 来执行负载平衡部分。我无法指定其他实例(甚至同一个实例)的 IP,因为它提供了以下安全问题,可以在apapche error.log但我可以使用 localhost 而不是 ip(对于同一台服务器)中找到它并且它可以工作。我的 apache 配置低于错误日志。我想我需要向 esb 的客户端商店添加证书。如果是这样,请指导我如何做到这一点(我尝试将 IP 指定为 CN,但没有运气)。否则我在这里做错了什么?

[Tue Oct 06 15:55:52.803633 2015] [proxy:debug] [pid 16827:tid 140445371795200] proxy_util.c(2610): AH00962: HTTPS: connection complete to 172.31.25.41:9443 (172.31.25.41)
[Tue Oct 06 15:55:52.803645 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH01964: Connection to child 0 established (server esb.wso2.com:443)
[Tue Oct 06 15:55:52.824988 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1381): [remote 172.31.25.41:9443] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.825028 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1381): [remote 172.31.25.41:9443] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.846640 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1844): [remote 172.31.25.41:9443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-DES-CBC3-SHA (168/168 bits)
[Tue Oct 06 15:55:52.846678 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_util_ssl.c(407): AH02412: [esb.wso2.com:443] Cert does not match for name '172.31.25.41' [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.846684 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH02411: SSL Proxy: Peer certificate does not match for hostname 172.31.25.41
[Tue Oct 06 15:55:52.846697 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH01998: Connection closed to child 0 with abortive shutdown (server esb.wso2.com:443)
[Tue Oct 06 15:55:52.846716 2015] [proxy:error] [pid 16827:tid 140445371795200] (502)Unknown error 502: [client 123.231.123.216:42158] AH01084: pass request body failed to 172.31.25.41:9443 (172.31.25.41)
[Tue Oct 06 15:55:52.846730 2015] [proxy:error] [pid 16827:tid 140445371795200] [client 123.231.123.216:42158] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Oct 06 15:55:52.846733 2015] [proxy_http:error] [pid 16827:tid 140445371795200] [client 123.231.123.216:42158] AH01097: pass request body failed to 172.31.25.41:9443 (172.31.25.41) from 123.231.123.216 ()
[Tue Oct 06 15:55:52.846736 2015] [proxy:debug] [pid 16827:tid 140445371795200] proxy_util.c(2035): AH00943: HTTPS: has released connection for (172.31.25.41)
[Tue Oct 06 15:55:52.846759 2015] [proxy_balancer:debug] [pid 16827:tid 140445371795200] mod_proxy_balancer.c(668): [client 123.231.123.216:42158] AH01176: proxy_balancer_post_request for (balancer://ssl.wso2.esb.com)

阿帕奇配置。

<VirtualHost *:443>
 ServerName mgt.esb.wso2.com
 ProxyRequests off
 LogLevel debug
 ProxyPass / https://<pvt_ip>:9443/carbon/ *** I can use localhost here and it work
 ProxyPassReverse / https://<pvt_ip>:9443/carbon/
 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl/mgt.crt
 SSLCertificateKeyFile /etc/apache2/ssl/mgt.key
 SSLProxyEngine On
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off
</VirtualHost>
4

1 回答 1

0 
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

我将以下配置添加到 apache 配置文件并可以解决问题,但它的作用是停止比较 CN、PeerName 或 Expiration。

于 2015-10-07T04:50:06.933 回答