security
auth_error
ai_generated
true
OAuth2授权码因反向代理缺少TLS终结而被截获
OAuth2 authorization code intercepted by reverse proxy due to missing TLS termination at proxy
ID: security/oauth2-authorization-code-interception-via-reverse-proxy
92%修复率
85%置信度
1证据数
2024-03-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth2 2.0 | active | — | — | — |
| nginx 1.24.0 | active | — | — | — |
| Apache HTTP Server 2.4.57 | active | — | — | — |
| Spring Security 6.1.0 | active | — | — | — |
根因分析
当反向代理终止TLS但向后端转发明文HTTP时,授权码在内部网络上以明文传输,允许该网段上的任何进程截获它。
English
When a reverse proxy terminates TLS but forwards plain HTTP to the backend, the authorization code is transmitted in cleartext on the internal network, allowing any process on that network segment to intercept it.
官方文档
https://oauth.net/2/grant-types/authorization-code/解决方案
-
配置反向代理在代理处终止TLS并重新加密到后端的流量(例如,nginx proxy_pass使用HTTPS)。示例:proxy_pass https://backend:443; proxy_ssl_verify off;
-
在代理和后端之间使用mTLS,确保即使在内部网络上也有加密通道。
无效尝试
常见但无效的做法:
-
Adding HTTPS certificate to the backend server without changing proxy configuration
95% 失败
The proxy still forwards HTTP; backend HTTPS doesn't protect the wire between proxy and backend.
-
Using a self-signed certificate on the backend to force HTTPS termination at backend
80% 失败
Self-signed certs cause backend SSL errors; the proxy may still strip TLS or fail to forward.