場(chǎng)景
Client <--SSL 雙向認(rèn)證--> Nginx <-- proxy_set_header X-Client-Cert $ssl_client_cert;
--> Jetty
Nginx
啟用SSL雙向認(rèn)證倔撞,客戶端證書(shū)通過(guò)X-Client-Cert
頭傳給后端的Jetty
沃疮。
X-Client-Cert
頭內(nèi)容:
X-Client-Cert: -----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgIRAOltdQNuHk6ksMKqBr+VvsQwDQYJKoZIhvcNAQELBQAw
YjELMAkGA1UEBhMCQ04xGzAZBgNVBAoMEkxkMzY1LmNvbSBDby4sTHRkLjESMBAG
A1UECwwJQ0EgQ2VudGVyMSIwIAYDVQQDDBlMZDM2NS5jb20gQ28uLEx0ZC4gRVRQ
IENBMB4XDTE2MDUzMDE2MDAwMFoXDTE3MDUzMDE2MDAwMFowgckxCzAJBgNVBAYT
AkNOMSQwIgYJKoZIhvcNAQkBFhV6aGFuZ3NoYW93ZWlAbGQzNjUuY24xPzA9BgNV
BAoMNuiBlOWKqOaXtuS7o++8iOWMl+S6rO+8ieenkeaKgOWPkeWxleaciemZkOi0
o+S7u+WFrOWPuDESMBAGA1UEBRMJMjEwNzEwMDAxMT8wPQYDVQQDDDbogZTliqjm
l7bku6PvvIjljJfkuqzvvInnp5HmioDlj5HlsZXmnInpmZDotKPku7vlhazlj7gw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xfVKO2mgcXlnBkfASoCf
6z4dp0z8BP30l9ons+gCbDssZdfvXCczVMZx2xabY29tvdEmjKYMqV2MycxW21jp
1jACHA1AceldGBj99mvIPhCtFI3mop3+WJiQnmecft0HaFs5D5Nl0lbB6p7PJGSv
yGcfyyp+JkcrgdXGEOMUQ732AmFSjYEWWQBU5dNLM1jAiVTLsedaRt5MlJJVfHkf
VM/OeDYAAMaOWcmRUdmjem3W5maN1KGAM/4J1zixmwAGhAa7Xutg46ohDbipEPzf
lBniZE5c7cT3XNxgV2zKmJ82XsPsbv5VRPtQSU4KRN3BMpLYeW75D5OzsvzKcCpb
AgMBAAGjgYMwgYAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBLAwHwYDVR0j
BBgwFoAURJutMef+ytVajhdV+fAda/Wlj8EwHQYDVR0OBBYEFIWzpOhXC4qawbi6
UOorq01jWNE9MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq
hkiG9w0BAQsFAAOCAQEAj10pZsPevaQJOiJ9x45Wv3A0NfMa0sQUfKcHdh9iT2aB
n14p29+RZ7jaFm1kHUWA5cfOLDgA9kX1Wx+YOSEpHeevPp6qpg9GXcvNLU6kDohY
nB/HR2s2LEObXwwPb7ErZQjshFZYtPm+XTne1xoNRKGI5SX9yXuCuzrVUqa+7H0r
RnqdTVZ/vMet/pA/bTybe0Z3SX0V3t+PjBdVEsOPxIsaYRPAAi7PWMfhW4n3fw/S
mPlLiP1D/g50wA3bJG+KeZrpWqZu7PSa0D02XmflNmm6+tsjvdJpj2U8vt/CObTH
N98hEp8rExIBg1ICD3KnkTTS3k+SXzv2b+BkPzPfJw==
-----END CERTIFICATE-----
問(wèn)題
將Jetty
升級(jí)到9.3.x
后,報(bào)400 Bad Request
亏较。
原因
Jetty9.3.x
實(shí)現(xiàn)了RFC 7230
規(guī)范。
RFC 7230
相較RFC 2616
的改變拐辽,參見(jiàn)這里炉奴。
其中有一條內(nèi)容如下:
Header fields that span multiple lines ("line folding") are deprecated. (Section 3.2.4)
就是說(shuō)在RFC 7230
以前,HTTP
頭內(nèi)容允許占多行(從第2行起末盔,以空格或tab開(kāi)頭)筑舅。
解決
設(shè)置Jetty9.3.x
接受RFC 2616
規(guī)范
$JETTY_BASE/start.d/http.ini
## HTTP Compliance: RFC7230, RFC2616, LEGACY
jetty.http.compliance=RFC2616