优化证书认证逻辑，增加回退用户认证功能，可选仅证书认证

server/base/cfg.go

@@ -47,7 +47,8 @@ type ServerConfig struct {
 	DbSource            string `json:"db_source"`
 	CertFile            string `json:"cert_file"`
 	CertKey             string `json:"cert_key"`
-	AuthAloneCert       bool   `json:"auth_alone_cert"`
+	AuthCert            bool   `json:"auth_cert"`
+	AuthOnlyCert        bool   `json:"auth_only_cert"`
 	ClientCertCAFile    string `json:"client_ca_file"`
 	ClientCertCAKeyFile string `json:"client_ca_key_file"`
 	FilesPath           string `json:"files_path"`

server/base/config.go

@@ -33,7 +33,8 @@ var configs = []config{
 	{Typ: cfgStr, Name: "db_source", Usage: "数据库source", ValStr: "./conf/anylink.db"},
 	{Typ: cfgStr, Name: "cert_file", Usage: "证书文件", ValStr: "./conf/vpn_cert.pem"},
 	{Typ: cfgStr, Name: "cert_key", Usage: "证书密钥", ValStr: "./conf/vpn_cert.key"},
-	{Typ: cfgBool, Name: "auth_alone_cert", Usage: "启用独立证书验证", ValBool: false},
+	{Typ: cfgBool, Name: "auth_cert", Usage: "启用证书验证", ValBool: false},
+	{Typ: cfgBool, Name: "auth_only_cert", Usage: "仅证书验证", ValBool: false},
 	{Typ: cfgStr, Name: "client_ca_file", Usage: "客户端证书CA证书", ValStr: "./conf/client_ca.pem"},
 	{Typ: cfgStr, Name: "client_ca_key_file", Usage: "客户端证书CA密钥", ValStr: "./conf/client_ca.key"},
 	{Typ: cfgStr, Name: "files_path", Usage: "外部下载文件路径", ValStr: "./conf/files"},

server/conf/profile.xml

@@ -13,6 +13,8 @@
         <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
         <LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
         <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
+        <CertificateStore>User</CertificateStore>
+        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
         <CertificateMatch>
             <KeyUsage>
                 <MatchKey>Digital_Signature</MatchKey>
@@ -20,7 +22,6 @@
             <ExtendedKeyUsage>
                 <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
             </ExtendedKeyUsage>
-        <CertificateStore>User</CertificateStore>
         </CertificateMatch>
 
     </ClientInitialization>

server/conf/server-sample.toml

@@ -10,10 +10,10 @@ db_source = "./conf/anylink.db"
 cert_file = "./conf/vpn_cert.pem"
 cert_key = "./conf/vpn_cert.key"
 
-#是否启用独立证书验证,开启后客户端连接需要携带证书
-#如果不开启则使用用户名密码验证
-auth_alone_cert = false
-
+# 开启后支持证书验证，客户端未提供证书或证书验证失败，则回退到用户名密码验证
+auth_cert = false
+# 开启后仅支持证书验证，客户端只能使用证书验证，不开启则回退用户名密码验证
+auth_only_cert = false
 #客户端证书CA证书
 client_cert_ca_file = "./conf/client_ca.pem"
 #客户端证书CA密钥

server/handler/link_auth.go

@@ -78,7 +78,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// 检查客户端证书认证
-	if base.Cfg.AuthAloneCert {
+	if base.Cfg.AuthCert {
 		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
 			clientCert := r.TLS.PeerCertificates[0]
 			username := clientCert.Subject.CommonName
@@ -107,13 +107,20 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 				ua.Info = "客户端证书验证失败"
 				ua.Status = dbdata.UserAuthFail
 				dbdata.UserActLogIns.Add(*ua, userAgent)
-
+				if base.Cfg.AuthOnlyCert {
+					base.Warn("已开启仅证书验证，但客户端证书验证失败,拒绝访问")
+					return
+				}
+				base.Warn("已开启证书验证，但客户端证书验证失败,回退到用户名密码验证")
+			}
+		} else {
+			if base.Cfg.AuthOnlyCert {
+				base.Warn("已开启仅证书验证，但客户端未提供有效证书,拒绝访问")
+				w.WriteHeader(http.StatusForbidden)
 				return
 			}
+			base.Warn("已开启证书验证，但客户端未提供有效证书,回退到用户名密码验证")
 		}
-		base.Warn("启用了独立证书验证，但用户未提供有效证书")
-		w.WriteHeader(http.StatusForbidden)
-		return
 	}
 
 	if cr.Type == "init" {

server/handler/server.go

@@ -72,10 +72,10 @@ func startTls() {
 		},
 	}
 	// 开启证书认证
-	if base.Cfg.AuthAloneCert {
+	if base.Cfg.AuthCert {
 		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven // 验证客户端证书
 		tlsConfig.ClientCAs = dbdata.LoadClientCAPool()    // 加载客户端CA证书
-		base.Info("已启用独立证书验证")
+		base.Info("已启用客户端证书验证")
 	}
 	srv := &http.Server{
 		Addr:         addr,