问题
I have an application running in Jetty. In front of it, I have a load balancer. The requirement is to have SSL decryption done by the load balancer while the web container does only SSL client authentication.
The theory is that the load balancer is very efficient at decrypting the content and can do that and pass it in plain to the web container.
Any idea how this can be achieved?
回答1:
It's not clear what you mean by "Null Cipher" in your title. There are 3 possible candidates: TLS_NULL_WITH_NULL_NULL, TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA. The first one doesn't perform any authentication, none of them offer any encryption. They're certainly useless for your objective. Use normal cipher suites (with both authentication and encryption) between the browser and the load-balancer. Encryption between the load-balancer and the worker nodes is generally optional, and only required if you don't trust the network where they site (this would be a completely different SSL/TLS connection anyway and have nothing to do with the client-certificate authentication done by the end browser).
Only the SSL/TLS server can request (and verify) client-certificate authentication. In this case this will be the load balancer.
If you want to have your SSL/TLS traffic handled by your load balancer, it should verify the certificate (presumably against a CA you have configured), and then relay the certificate information to the worker nodes.
How you do this will depend on the load-balancer. If it's an Apache Httpd server, mod_proxy_ajp will relay the client certificate via the AJP protocol (SSLOptions +ExportCertData +StdEnvVars). mod_jk is also able to relay the full client-certificate chain if needed (JkOptions +ForwardSSLCertChain).
If you want to use mod_proxy_http, a trick is to pass the certificate via an HTTP header (mod_header), using something like RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s. You should make sure this header is cleared if it comes from the client's browser (who could forge it otherwise). In this case, you'll need to write a filter as part of your Jetty server to handle that header an place it into the javax.servlet.request.X509Certificate HttpServletRequest attribute (it should be an array of X509Certificate). After this, you should be more or less at the same stage as what you would have with AJP. This may also work with other load balancers if they're capable of populating an HTTP header in a similar way.
来源:https://stackoverflow.com/questions/11697383/two-way-ssl-with-jetty-and-null-cipher