# OAuth2授权码因反向代理缺少TLS终结而被截获

- **ID:** `security/oauth2-authorization-code-interception-via-reverse-proxy`
- **领域:** security
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 92%

## 根因

当反向代理终止TLS但向后端转发明文HTTP时，授权码在内部网络上以明文传输，允许该网段上的任何进程截获它。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OAuth2 2.0 | active | — | — |
| nginx 1.24.0 | active | — | — |
| Apache HTTP Server 2.4.57 | active | — | — |
| Spring Security 6.1.0 | active | — | — |

## 解决方案

1. ```
   配置反向代理在代理处终止TLS并重新加密到后端的流量（例如，nginx proxy_pass使用HTTPS）。示例：proxy_pass https://backend:443; proxy_ssl_verify off;
   ```
2. ```
   在代理和后端之间使用mTLS，确保即使在内部网络上也有加密通道。
   ```

## 无效尝试

- **Adding HTTPS certificate to the backend server without changing proxy configuration** — The proxy still forwards HTTP; backend HTTPS doesn't protect the wire between proxy and backend. (95% 失败率)
- **Using a self-signed certificate on the backend to force HTTPS termination at backend** — Self-signed certs cause backend SSL errors; the proxy may still strip TLS or fail to forward. (80% 失败率)