Bry*_*yan 0 networking http proxy https
在某些情况下,有一个 HTTP(s) 服务器有一些我试图代理的资产,我需要使用 IP 地址而不是域来这样做。经过一些故障排除后,我意识到如果我向其发出 HTTP 请求,我会https://202.100.200.152/sushi/得到响应,并且只有在我使用域时才能得到我想要的响应https://sp.water.contoso.com/sushi/。
我确信 HTTP(s) 服务器在它前面有一个代理,可以在所有地方路由连接。我无法访问此服务器,因此我将其视为黑匣子。我想也许它通过主机头检查域,但是当我覆盖它时它仍然不起作用。
我想知道除了 HOST 标头之外还有哪些其他因素会导致我没有得到我想要的响应。
我用 CURL模拟了BAD响应:
curl -k -v -I -H 'Host: sp.water.contoso.com' https://202.100.200.152/sushi/
* Trying 202.100.200.152...
* TCP_NODELAY set
* Connected to 202.100.200.152 (202.100.200.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.water.contoso.com
* start date: Feb 11 18:53:34 2020 GMT
* expire date: Feb 10 18:53:35 2022 GMT
* issuer: CN=ingress-operator@3582449223
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> HEAD /sushi/ HTTP/1.1
> Host: sp.water.contoso.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
HTTP/1.0 503 Service Unavailable
< Pragma: no-cache
Pragma: no-cache
< Cache-Control: private, max-age=0, no-cache, no-store
Cache-Control: private, max-age=0, no-cache, no-store
< Connection: close
Connection: close
< Content-Type: text/html
Content-Type: text/html
<
* Excess found in a non pipelined read: excess = 3131 url = /sushi/ (zero-length body)
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
然后是CURL的GOOD响应
curl -v -I -k https://sp.water.contoso.com/sushi/
* Trying 202.100.200.152...
* TCP_NODELAY set
* Connected to sp.water.contoso.com (202.100.200.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI
* start date: Oct 29 04:33:35 2019 GMT
* expire date: Jan 30 04:33:35 2022 GMT
* issuer: C=US; ST=CA; L=Silicon Valley; O=Cupcake; OU=contoso Data Platform; emailAddress=contoso-adp@us.contoso.com; CN=contoso-Data-and-AI
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> HEAD /sushi/ HTTP/1.1
> Host: sp.water.contoso.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: openresty
Server: openresty
< Date: Wed, 17 Jun 2020 17:46:01 GMT
Date: Wed, 17 Jun 2020 17:46:01 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Content-Length: 266
Content-Length: 266
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: Express
X-Powered-By: Express
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: public, max-age=0
Cache-Control: public, max-age=0
< Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT
Last-Modified: Tue, 02 Jun 2020 21:26:35 GMT
< ETag: W/"10a-17276edcaf8"
ETag: W/"10a-17276edcaf8"
< X-Frame-Options: DENY
X-Frame-Options: DENY
<
* Connection #0 to host sp.water.contoso.com left intact
* Closing connection 0
正如您从 CURL 输出中看到的,两者都使用相同的 IP,并且这些>部分表明它们发送相同的标头。服务器返回我不需要的页面的一些可能原因是什么?
这里的原因是当您向 IP 地址发出请求时,TLS Server Name Indication 字段包含主机的 IP 地址,而不是域。
您连接的服务器具有为 IP 地址和不同域名定义的不同虚拟主机。为 IP 地址定义的虚拟主机不提供您正在寻找的服务。
为了使用 curl 发送正确的 TLS 服务器名称指示字段,您需要使用--resolve参数:
curl --resolve sp.water.contoso.com:443:209.100.200.152 https://sp.water.contoso.com/sushi/
这将告诉服务器应该与sp.water.contoso.com虚拟主机建立 TLS 连接,而不是 IP 地址。
添加 HTTPHost头仅对 HTTP 协议有效。
| 归档时间: |
|
| 查看次数: |
2205 次 |
| 最近记录: |