PassTLSClientCert

在标题中添加客户端证书

PassTLSClientCert在标头中添加从传递的客户端tls证书中选择的数据.

Configuration Examples

X-Forwarded-Tls-Client-Cert标头中传递转义的pem.

# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: addprefix
spec:
  passTLSClientCert:
    pem: true
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
"labels": {
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
}
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
[http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
http:
  middlewares:
    test-passtlsclientcert:
      passTLSClientCert:
        pem: true
X-Forwarded-Tls-Client-Cert标头中传递转义的pem
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-passtlsclientcert
spec:
  passTLSClientCert:
    info:
      notAfter: true
      notBefore: true
      sans: true
      subject:
        country: true
        province: true
        locality: true
        organization: true
        commonName: true
        serialNumber: true
        domainComponent: true
      issuer:
        country: true
        province: true
        locality: true
        organization: true
        commonName: true
        serialNumber: true
        domainComponent: true
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
"labels": {
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
}
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
      notAfter = true
      notBefore = true
      sans = true
      [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
        country = true
        province = true
        locality = true
        organization = true
        commonName = true
        serialNumber = true
        domainComponent = true
      [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
        country = true
        province = true
        locality = true
        organization = true
        commonName = true
        serialNumber = true
        domainComponent = true
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
http:
  middlewares:
    test-passtlsclientcert:
      passTLSClientCert:
        info:
          notAfter: true
          notBefore: true
          sans: true
          subject:
            country: true
            province: true
            locality: true
            organization: true
            commonName: true
            serialNumber: true
            domainComponent: true
          issuer:
            country: true
            province: true
            locality: true
            organization: true
            commonName: true
            serialNumber: true
            domainComponent: true

Configuration Options

General

PassTLSClientCert可以将两个标头添加到请求中:

  • X-Forwarded-Tls-Client-Cert ,其中包含转义的pem.
  • X-Forwarded-Tls-Client-Cert-Info ,它在转义字符串中包含所有选定的证书信息.

Info

  • 标头中填充了转义字符串,因此可以将其安全地放置在URL查询中.
  • 这些选项仅适用于MutualTLS配置 . 也就是说,仅通过与clientAuth.clientAuthType策略匹配的证书.

在以下示例中,您可以看到完整的证书. 我们将使用它的每个部分来解释中间件选项.

完整的客户tls证书
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
        Validity
            Not Before: Dec  6 11:10:16 2018 GMT
            Not After : Dec  5 11:10:16 2020 GMT
        Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
                    a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
                    1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
                    d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
                    8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
                    39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
                    dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
                    6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
                    11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
                    2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
                    63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
                    a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
                    d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
                    fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
                    d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
                    c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
                    2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
                    ee:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
            X509v3 Authority Key Identifier: 
                keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03

            X509v3 Subject Alternative Name: 
                DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]
    Signature Algorithm: sha1WithRSAEncryption
         76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
         16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
         ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
         5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
         8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
         cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
         1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
         8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
         74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
         9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
         62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
         60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
         9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
         d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
         c6:98:8a:31
-----BEGIN CERTIFICATE-----
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
-----END CERTIFICATE-----

pem

pem选项使用转义证书设置X-Forwarded-Tls-Client-Cert标头.

在示例中,它是-----BEGIN CERTIFICATE----------END CERTIFICATE-----分隔符之间的部分:

pem选项使用的数据
-----BEGIN CERTIFICATE-----
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
-----END CERTIFICATE-----

提取数据

分隔符和\n将被删除.
如果有一个以上的证书,它们由分隔" ". ,

X-Forwarded-Tls-Client-Cert值可能超过Web服务器标头的大小限制

Web服务器的标头大小限制通常在4kb和8kb之间.
您可以更改服务器配置以允许更大的标头,或将info选项与必填字段一起使用.

info

info选项选择要添加到X-Forwarded-Tls-Client-Cert-Info标头的特定客户端证书详细X-Forwarded-Tls-Client-Cert-Info . 标头的值将是所有选定证书详细信息的转义串联.

以下示例显示了使用所有可用字段的未转义结果:

Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,[email protected],[email protected],10.0.1.0,10.0.1.2"

多个证书

如果有一个以上的证书,他们被分离, .

info.notAfter

info.notAfter选项设置为true以从Validity部分添加Not After信息.

数据来自以下证书部分:

    Validity
        Not After : Dec  5 11:10:16 2020 GMT            

转义notAfter信息部分将类似于:

NA="1607166616"

info.notBefore

info.notBefore选项设置为true以添加Validity部分中的Not Before信息.

数据来自以下证书部分:

Validity
    Not Before: Dec  6 11:10:16 2018 GMT

转义notBefore信息部分将是:

NB="1544094616"

info.sans

info.sans选项设置为true可以从" Subject Alternative Name部分添加" Subject Alternative Name信息.

数据来自以下证书部分:

 X509v3 Subject Alternative Name: 
    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]

转义SAN信息部分将类似于:

SAN="*.cheese.org,*.cheese.net,*.cheese.com,[email protected],[email protected],10.0.1.0,10.0.1.2"

多个值

所有的SAN数据通过分离, .

info.subject

info.subject选择要添加到X-Forwarded-Tls-Client-Cert-Info标头的特定客户端证书主题详细X-Forwarded-Tls-Client-Cert-Info .

数据取自以下证书部分:

Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
info.subject.country

info.subject.country选项设置为true可将country信息添加到主题中.
使用C键从主题部分获取数据. 主题部分中的逃避国家/地区信息如下:

C=FR,C=US
info.subject.province

info.subject.province选项设置为true可将province信息添加到主题中.

使用ST键从主题部分获取数据.

The escape province info in the subject part will be like :

ST=Cheese org state,ST=Cheese com state
info.subject.locality

info.subject.locality选项设置为true可将locality信息添加到主题中.

使用L键从主题部分获取数据.

主题部分中的逃逸地点信息将类似于:

L=TOULOUSE,L=LYON
info.subject.organization

info.subject.organization选项设置为true以将organization信息添加到主题中.

使用O键从主题部分获取数据.

主题部分中的逃生组织信息将类似于:

O=Cheese,O=Cheese 2
info.subject.commonName

info.subject.commonName选项设置为true可以将commonName信息添加到主题中.

使用CN键从主题部分获取数据.

主题部分中的转义通用名称信息将类似于:

CN=*.cheese.com
info.subject.serialNumber

info.subject.serialNumber选项设置为true可以将serialNumber信息添加到主题中.

数据使用SN键从主题部分获取.

主题部分中的转义序列号信息将类似于:

SN=1234567890
info.subject.domainComponent

info.subject.domainComponent选项设置为true可以将domainComponent信息添加到主题中.

使用DC键从主题部分获取数据.

主题部分中的转义域组件信息将类似于:

DC=org,DC=cheese

info.issuer

info.issuer选择要添加到X-Forwarded-Tls-Client-Cert-Info标头的特定客户端证书颁发者详细X-Forwarded-Tls-Client-Cert-Info .

数据取自以下证书部分:

Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
info.issuer.country

info.issuer.country选项设置为true以将country信息添加到发行者中.
数据使用C键从发行方获取. 发行人部分中的逃避国家/地区信息如下:

C=FR,C=US
info.issuer.province

info.issuer.province选项设置为true以将province信息添加到发行者中.

数据是使用ST键从发行者部分获取的.

发行者部分中的逃逸省信息将类似于:

ST=Signing State,ST=Signing State 2
info.issuer.locality

info.issuer.locality选项设置为true可以将locality信息添加到颁发者中.

使用L键从发行者部分获取数据.

发行人部分中的转义位置信息将类似于:

L=TOULOUSE,L=LYON
info.issuer.organization

info.issuer.organization选项设置为true以将organization信息添加到发行者中.

数据使用O键从发行方获取.

发行者部分中的逃脱组织信息将类似于:

O=Cheese,O=Cheese 2
info.issuer.commonName

info.issuer.commonName选项设置为true可以将commonName信息添加到颁发者中.

使用CN密钥从发行者部分获取数据.

发行者部分中的转义通用名称信息将类似于:

CN=Simple Signing CA 2
info.issuer.serialNumber

info.issuer.serialNumber选项设置为true可以将serialNumber信息添加到颁发者中.

数据是使用SN密钥从发行者部分获取的.

发行者部分中的转义序列号信息将类似于:

SN=1234567890
info.issuer.domainComponent

info.issuer.domainComponent选项设置为true可以将domainComponent信息添加到颁发者中.

数据是使用DC密钥从发行者部分获取的.

发行者部分中的转义域组件信息将类似于:

DC=org,DC=cheese