diff --git a/server/base/cfg.go b/server/base/cfg.go
index 7a856db..fc21898 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -47,7 +47,8 @@ type ServerConfig struct {
DbSource string `json:"db_source"`
CertFile string `json:"cert_file"`
CertKey string `json:"cert_key"`
- AuthAloneCert bool `json:"auth_alone_cert"`
+ AuthCert bool `json:"auth_cert"`
+ AuthOnlyCert bool `json:"auth_only_cert"`
ClientCertCAFile string `json:"client_ca_file"`
ClientCertCAKeyFile string `json:"client_ca_key_file"`
FilesPath string `json:"files_path"`
diff --git a/server/base/config.go b/server/base/config.go
index d7afce7..37d9789 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -33,7 +33,8 @@ var configs = []config{
{Typ: cfgStr, Name: "db_source", Usage: "数据库source", ValStr: "./conf/anylink.db"},
{Typ: cfgStr, Name: "cert_file", Usage: "证书文件", ValStr: "./conf/vpn_cert.pem"},
{Typ: cfgStr, Name: "cert_key", Usage: "证书密钥", ValStr: "./conf/vpn_cert.key"},
- {Typ: cfgBool, Name: "auth_alone_cert", Usage: "启用独立证书验证", ValBool: false},
+ {Typ: cfgBool, Name: "auth_cert", Usage: "启用证书验证", ValBool: false},
+ {Typ: cfgBool, Name: "auth_only_cert", Usage: "仅证书验证", ValBool: false},
{Typ: cfgStr, Name: "client_ca_file", Usage: "客户端证书CA证书", ValStr: "./conf/client_ca.pem"},
{Typ: cfgStr, Name: "client_ca_key_file", Usage: "客户端证书CA密钥", ValStr: "./conf/client_ca.key"},
{Typ: cfgStr, Name: "files_path", Usage: "外部下载文件路径", ValStr: "./conf/files"},
diff --git a/server/conf/profile.xml b/server/conf/profile.xml
index b594b7b..987671e 100644
--- a/server/conf/profile.xml
+++ b/server/conf/profile.xml
@@ -13,6 +13,8 @@
AllowRemoteUsers
AllowRemoteUsers
pinAllowed
+ User
+ true
Digital_Signature
@@ -20,7 +22,6 @@
ClientAuth
- User
diff --git a/server/conf/server-sample.toml b/server/conf/server-sample.toml
index 477b0e8..77d5135 100644
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -10,10 +10,10 @@ db_source = "./conf/anylink.db"
cert_file = "./conf/vpn_cert.pem"
cert_key = "./conf/vpn_cert.key"
-#是否启用独立证书验证,开启后客户端连接需要携带证书
-#如果不开启则使用用户名密码验证
-auth_alone_cert = false
-
+# 开启后支持证书验证,客户端未提供证书或证书验证失败,则回退到用户名密码验证
+auth_cert = false
+# 开启后仅支持证书验证,客户端只能使用证书验证,不开启则回退用户名密码验证
+auth_only_cert = false
#客户端证书CA证书
client_cert_ca_file = "./conf/client_ca.pem"
#客户端证书CA密钥
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 8f3cba6..c288c44 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -78,7 +78,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
return
}
// 检查客户端证书认证
- if base.Cfg.AuthAloneCert {
+ if base.Cfg.AuthCert {
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
clientCert := r.TLS.PeerCertificates[0]
username := clientCert.Subject.CommonName
@@ -107,13 +107,20 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
ua.Info = "客户端证书验证失败"
ua.Status = dbdata.UserAuthFail
dbdata.UserActLogIns.Add(*ua, userAgent)
-
+ if base.Cfg.AuthOnlyCert {
+ base.Warn("已开启仅证书验证,但客户端证书验证失败,拒绝访问")
+ return
+ }
+ base.Warn("已开启证书验证,但客户端证书验证失败,回退到用户名密码验证")
+ }
+ } else {
+ if base.Cfg.AuthOnlyCert {
+ base.Warn("已开启仅证书验证,但客户端未提供有效证书,拒绝访问")
+ w.WriteHeader(http.StatusForbidden)
return
}
+ base.Warn("已开启证书验证,但客户端未提供有效证书,回退到用户名密码验证")
}
- base.Warn("启用了独立证书验证,但用户未提供有效证书")
- w.WriteHeader(http.StatusForbidden)
- return
}
if cr.Type == "init" {
diff --git a/server/handler/server.go b/server/handler/server.go
index 9ce722b..f2f7ff1 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -72,10 +72,10 @@ func startTls() {
},
}
// 开启证书认证
- if base.Cfg.AuthAloneCert {
+ if base.Cfg.AuthCert {
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven // 验证客户端证书
tlsConfig.ClientCAs = dbdata.LoadClientCAPool() // 加载客户端CA证书
- base.Info("已启用独立证书验证")
+ base.Info("已启用客户端证书验证")
}
srv := &http.Server{
Addr: addr,