apache - Apache 反向代理 Kerberos

Question

我有一个使用 mod_auth_kerb 配置的内部 Apache 服务器。我还有一个外部 Apache 服务器，它代理到内部的连接。

当用户在内部与他们的域帐户连接时，使用 kerberose 的 SSO 可以工作。在外部访问时，系统会提示他们输入用户名和密码。在我们实施第二个域（又名领域）之前，此设置一直有效。

在内部，任一域上的用户都可以进行身份​​验证。但在外部，输入凭据后，内部服务器报告

[Mon Sep 24 11:17:17.482681 2018] [auth_kerb:error] [pid 10547:tid 140441496266496] [client 10.200.3.36:49484] failed to verify krb5 credentials: Server not found in Kerberos database, referer: https://server.com/

和代理报告

Mon Sep 24 11:17:18.127581 2018] [proxy_http:error] [pid 2539] (70014)End of file found: [client xxx.xxx.xxx.xxx:60926] AH01102: error reading status line from remote server server.com:443, referer: https://server.com/

我知道我遗漏了一些明显的东西。

这是代理的配置

<VirtualHost *:443>
ServerName server.com
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/server.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.com.key
SSLCertificateChainFile /etc/pki/tls/certs/server.com.inter.crt
SSLProxyEngine On
ProxyPass "/" "https://server.com/"
ProxyPassReverse "/" "https://server.com/"
</VirtualHost>

来自内部服务器的配置

<VirtualHost *:443>
ServerName server.com
DocumentRoot /var/www/html/wordpress
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/server.com.key"
SSLCertificateChainFile /etc/pki/tls/certs/server.com.inter.crt
SSLProtocol +TLSv1.2
SSLCipherSuite RSA:HIGH:-LOW:-RC4

<IF "'%{REMOTE_ADDR}' != '10.200.3.35' && '${REQUEST_URI}' != '/wp-admin'">
AuthType Kerberos
AuthName "Kerberos authenticated intranet"
KrbAuthRealms REALM1 REAM2
KrbServiceName Any
Krb5KeyTab /etc/httpd/merged.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</IF>

<Directory "/var/www/html/wordpress">
AllowOverride All
</Directory>
</VirtualHost>

密钥表示例

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 HTTP/server.com@REALM1
   2    1 HTTP/server.com@REALM1
   3    1 HTTP/server.com@REALM1
   4    1 HTTP/server.com@REALM1
   5    1 HTTP/server.com@REALM1
   6    1          HTTP/server.com@REALM2
   7    1          HTTP/server.com@REALM2
   8    1          HTTP/server.com@REALM2
   9    1          HTTP/server.com@REALM2
  10    1          HTTP/server.com@REALM2