对等验证允许列表
Alteryx 已增加与打开 TLS 或 SSL 连接(例如,使用 cURL 和 OpenSSL 的
这要求使用 TLS 保护与服务的连接,并且连接的服务器需要提供可信且有效的 CA 签名证书。验证必须沿着 CA 链一直到根证书,并根据 Microsoft Windows 证书存储的受信任证书颁发机构列表来验证证书。目前不支持 Linux。
此功能最初在 2022.1+ Designer-FIPS 和 2022.2 Server-FIPS 版本中启用,且无法关闭。
现在,非 FIPS 2022.3+ 版本也启用了对等验证。
设置对等验证的允许列表
我们知道部分管理员和用户可能会遇到此更改相关问题。尤其是,现有的工作流程或服务器环境应用不安全的连接或使用自签名、无效或不受信任证书的 TLS 连接。
要解决这些问题,并继续使用不安全的连接或应用未通过验证的证书的 TLS 连接,您必须向允许列表添加例外情况。
允许列表包含在启用对等验证的情况下通常会失败的 URL 站点条目。
将 URL 例外添加到名为
PeerValidationBypass.txt
的文本文件。您必须将文件放置在
C:\ProgramData\Alteryx\PeerValidationBypass.txt
中。如果文件不存在,则默认开启对等验证。但是,请注意,文件存在也不会关闭对等验证。这会使 Designer 和 Server 在连接到文件中列出的特定站点时忽略对等验证。
PeerValidationBypass.txt 要求
PeerValidationBypass.txt
文件中的条目必须遵循以下几条规则:
每行一个完全限定域名 (FQDN) 条目。
仅输入主机名。
移除 URL 开头的
protocol://
。从 URL 中移除任何路径、查询和密码。
请勿在条目之间留下空白行。
Using Wildcards
You can configure PeerValidationBypass.txt with FQDNs and IPv4 addresses that contain wildcard characters.
A domain name is a simple structure made of several fields, separated by dots and read from right to left. An example domain name is help.alteryx.com
where…
The Top-Level Domain (TLD) is
com
.The labels follow the TLD.
alteryx
is Label1 andhelp
is Label2.A label is a case-insensitive character sequence anywhere from one to sixty-three characters in length.
It contains only the letters A through Z, digits 0 through 9, and the hyphen (-) character (which can’t be the first or last character in the label).
The label located right before the TLD is also called a Secondary Level Domain (SLD), alteryx in the example above.
注意
A domain name might consist of one field only, or it might consist of two, three, or more than three fields. A fully qualified domain name (FQDN) is always labeled in the format:
hostname.SLD.TLD
When PeerValidationBypass.txt is parsed to determine whether a particular endpoint’s TLS certificate should be validated, the parser interprets wildcards as follows:
An asterisk (*) character matches 0 or more valid label characters.
A question mark (?) character matches exactly 1 valid label character.
Domain Name Entry Details
For a domain name entry…
If TLD is a country code TLD, wildcard characters are not allowed in the last three fields. Wildcard matching is performed in Label 3 and onwards.
If TLD is not a country code TLD, wildcard characters are not allowed in the last two fields. Wildcard matching is performed in Label 2 and onwards.
Example Invalid Domain Name Entries
???.*.com.fr
, alteryx*.help.n?t
, alteryx.*.net
, and hello.world.example*.???
IPv4 Address Entry Details
For an IPv4 address entry…
Wildcard characters are not allowed in the first two fields.
Wildcard matching is performed in the last two fields.
Example Invalid IPv4 Entries
192.*.*.23
, ???.*.123.234
, and *.10.100.200
示例条目
Example 1
Suppose Peer Validation blocks this URL:
https://ThisIsATest.com/?category.id=External
In the PeerValidationBypass.txt file, enter this:
ThisIsATest.com
Example 2
Suppose you want to block these URLs with a similar pattern:
https://example.ThisIsATest.com/?category.id=External
https://warning.ThisIsATest.com/?category.id=External
https://info.ThisIsATest.com/?category.id=External
In the PeerValidationBypass.txt file you can block all 3 with one entry, using a wildcard:
*.ThisIsATest.com
Example 3
To block visit.country.france.fr
and work.country.france.fr
, enter this in the PeerVAlidationBypass.txt
file:
*.country.france.fr
注意
TLD is a country code. As a result, wildcard characters are not allowed in the last 3 fields: country.france.fr
.
Example 4
To block the 123.12.123.1
and 123.12.123.2
IPv4 addresses, in the PeerValidationBypass.txt file
, enter this:
123.12.123.?
补充说明
编辑
PeerValidationBypass.txt
后,每当您在 Alteryx 工具中使用 cURL/OpenSSL 时,都会搜索匹配项。如果 Designer 或 Server 找到匹配项,则会关闭对等验证。请注意,FIPS 产品会忽略允许列表。
当外部服务器需要由中间 CA 签署的 SSL 证书时,为了避免 SSL 对等验证出现任何错误,请将所需的中间 CA 添加到 Microsoft 管理控制台中的受信任的根证书颁发机构 - 证书文件夹中。