如何使用mod_proxy over https在Apache和Wildfly 19之间设置双向SSL或相互身份验证？ 如何通过https使用mod_代理在Apache和Wildfly之间设置双向SSL或相互身份验证？

在经历了一段时间的挣扎之后，我在网上找不到任何文档来设置ApacheHTTPD2.4和Wildfly 19之间的双向或双向SSL，所以我决定写自己的，希望它能帮助别人。基本上是通过https在apache和wildfly之间安全地传输流量

参考/礼貌：Jboss文档-。本文档主要基于此，但针对Wildfly 19和Elytron SSL上下文对其进行了修改

环境

• Redhat或Centos 7或8
• 野蝇19
• ApacheHTTPD2.4和Https上的Mod_代理
• OpenJdk 1.8.0_242（TLS v1.2）。 如果需要TLSV1.3，请使用JDK11或更高版本

解决步骤 Wildfly 19

CLI命令

/subsystem=elytron/key store=MyKeyStore:add（path=/etc/certs/selfSigned/jboss.keystore，凭证引用={clear text=secret}，type=JKS）
/subsystem=elytron/key manager=MyKeyManager:add（key store=MyKeyStore，凭证引用={clear text=secret}}）
/subsystem=elytron/key store=MyKeyTrustStore:add（path=/etc/certs/selfSigned/jboss.truststore，凭证引用={clear text=secret}，type=JKS）
/subsystem=elytron/trust manager=MyTrustManager:add（密钥存储=MyKeyTrustStore）
/subsystem=elytron/server ssl context=MySSLContext:add（密钥管理器=MyKeyManager，协议=[“TLSv1.2”]，信任管理器=MyTrustManager，需要客户端身份验证=true）
/subsystem=undertow/server=default server/https-listener=https:add（套接字绑定=https，ssl上下文=MySSLContext，enable-http2=true）
：重新加载

结果：

ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600

SSLProxyEngine On
SSLProxyVerify On
# For Self Signed Certs with CN name other than localhost
SSLProxyCheckPeerCN off

# SSLProxyCACertificateFile - can be either the cert of the JBoss server (when using self-signed certs) 
# or the CA that signed the JBoss cert. 
# If you using actual CA signed cert you don't need to specify SSLProxyCACertificateFile.
SSLProxyCACertificateFile certs/jboss_cert.pem

# SSLProxyMachineCertificateFile - contains the public/private key pair (PEM formatted, concatenated). 
# This is what tells wildfly whether the request is coming a trusted apache. 
# Once again, don't have to specify this if you have an CA signed Cert. Only for Self Generated Certs.
SSLProxyMachineCertificateFile certs/apache_proxy.pem


ProxyPass / https://wildfly-localhost:8443/  keepalive=On
ProxyPassReverse / https://wildfly-localhost:8443/

-rw-r--r-- 1 user root 1253 Apr 15 00:44 apache_cert.pem
-rw------- 1 user root 1679 Apr 15 00:44 apache_key.pem
-rw-r--r-- 1 user root 2932 Apr 15 00:44 apache_proxy.pem
-rw-r--r-- 1 user root  717 Apr 15 00:44 jboss.cert
-rw-r--r-- 1 user root 1025 Apr 15 00:44 jboss_cert.pem
-rw-r--r-- 1 user root 2421 Apr 15 00:44 jboss.keystore
-rw-r--r-- 1 user root  948 Apr 15 00:44 jboss.truststore

独立完整.xml

。
. . .
. . .
. . .

Apache配置：

ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600

SSLProxyEngine On
SSLProxyVerify On
# For Self Signed Certs with CN name other than localhost
SSLProxyCheckPeerCN off

# SSLProxyCACertificateFile - can be either the cert of the JBoss server (when using self-signed certs) 
# or the CA that signed the JBoss cert. 
# If you using actual CA signed cert you don't need to specify SSLProxyCACertificateFile.
SSLProxyCACertificateFile certs/jboss_cert.pem

# SSLProxyMachineCertificateFile - contains the public/private key pair (PEM formatted, concatenated). 
# This is what tells wildfly whether the request is coming a trusted apache. 
# Once again, don't have to specify this if you have an CA signed Cert. Only for Self Generated Certs.
SSLProxyMachineCertificateFile certs/apache_proxy.pem


ProxyPass / https://wildfly-localhost:8443/  keepalive=On
ProxyPassReverse / https://wildfly-localhost:8443/

-rw-r--r-- 1 user root 1253 Apr 15 00:44 apache_cert.pem
-rw------- 1 user root 1679 Apr 15 00:44 apache_key.pem
-rw-r--r-- 1 user root 2932 Apr 15 00:44 apache_proxy.pem
-rw-r--r-- 1 user root  717 Apr 15 00:44 jboss.cert
-rw-r--r-- 1 user root 1025 Apr 15 00:44 jboss_cert.pem
-rw-r--r-- 1 user root 2421 Apr 15 00:44 jboss.keystore
-rw-r--r-- 1 user root  948 Apr 15 00:44 jboss.truststore

生成自签名证书的脚本：

#/垃圾箱/垃圾箱
函数创建密钥库
{
密钥文件=$1
别名=$2
DN=$3
通行证=4美元
keytool-genkey-alias$alias-keyalg RSA-keystore$KEY_FILE-validity 365-storetype pkcs12-storepass$PASS-keypass$PASS-dname$DN
}
功能导出证书
{
密钥文件=$1
别名=$2
导出文件=$3
通行证=4美元
keytool-export-alias$alias-keystore$KEY\u文件-storepass$PASS-FILE$export\u文件
}
功能导入证书
{
密钥文件=$1
别名=$2
导入文件=$3
通行证=4美元
keytool-import-noprompt-alias$alias-keystore$KEY\u文件-storepass$PASS-FILE$import\u文件
}
PASSWORD=“secret”
APACHE_CN=“/C=US/ST=AR/L=Somewhere/CN=APACHE”
#使用你的域名。example.com
JBOSS_CN=“CN=localhost”
JBOSS_KEYSTORE=“JBOSS.KEYSTORE”
JBOSS_CERT=“JBOSS.CERT”
JBOSS_KEY_ALIAS=“服务器”
JBOSS_TRUSTSTORE=“JBOSS.TRUSTSTORE”
echo“为Wildfly创建公钥和私钥（服务器端）”
创建密钥库$JBOSS\U密钥库$JBOSS\U密钥\U别名$JBOSS\U CN$密码
导出证书$JBOSS\u密钥库$JBOSS\u密钥\u别名$JBOSS\u证书$PASSWORD
echo“构建与Apache（客户端）一起使用的公钥/私钥”
#openssl req-x509-subc$APACHE\u CN-nodes-days 365-newkey rsa:1024-keyout APACHE\u key.pem-out APACHE\u cert.pem
#Apache私钥
openssl genrsa-out apache_key.pem 1024
#Apache证书（公共）
openssl req-new-key apache_key.pem-x509-subc$apache_CN-out apache_cert.pem-365天
#阿帕奇合并
cat apache_key.pem apache_cert.pem>apache_proxy.pem
导入证书$JBOSS\u信任库“apache”“apache\u cert.pem”$密码
openssl x509-输入$JBOSS_CERT-通知DER-输出JBOSS_CERT.pem-输出pem

结果：

ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600

SSLProxyEngine On
SSLProxyVerify On
# For Self Signed Certs with CN name other than localhost
SSLProxyCheckPeerCN off

# SSLProxyCACertificateFile - can be either the cert of the JBoss server (when using self-signed certs) 
# or the CA that signed the JBoss cert. 
# If you using actual CA signed cert you don't need to specify SSLProxyCACertificateFile.
SSLProxyCACertificateFile certs/jboss_cert.pem

# SSLProxyMachineCertificateFile - contains the public/private key pair (PEM formatted, concatenated). 
# This is what tells wildfly whether the request is coming a trusted apache. 
# Once again, don't have to specify this if you have an CA signed Cert. Only for Self Generated Certs.
SSLProxyMachineCertificateFile certs/apache_proxy.pem


ProxyPass / https://wildfly-localhost:8443/  keepalive=On
ProxyPassReverse / https://wildfly-localhost:8443/

-rw-r--r-- 1 user root 1253 Apr 15 00:44 apache_cert.pem
-rw------- 1 user root 1679 Apr 15 00:44 apache_key.pem
-rw-r--r-- 1 user root 2932 Apr 15 00:44 apache_proxy.pem
-rw-r--r-- 1 user root  717 Apr 15 00:44 jboss.cert
-rw-r--r-- 1 user root 1025 Apr 15 00:44 jboss_cert.pem
-rw-r--r-- 1 user root 2421 Apr 15 00:44 jboss.keystore
-rw-r--r-- 1 user root  948 Apr 15 00:44 jboss.truststore

如果您有任何问题，请随时创建票证。