Skip to main content

对等验证允许列表

Alteryx 已增加与打开 TLS 或 SSL 连接(例如,使用 cURL 和 OpenSSL 的

这要求使用 TLS 保护与服务的连接,并且连接的服务器需要提供可信且有效的 CA 签名证书。验证必须沿着 CA 链一直到根证书,并根据 Microsoft Windows 证书存储的受信任证书颁发机构列表来验证证书。目前不支持 Linux。

  • 此功能最初在 2022.1+ Designer-FIPS 和 2022.2 Server-FIPS 版本中启用,且无法关闭。

  • 现在,非 FIPS 2022.3+ 版本也启用了对等验证。

设置对等验证的允许列表

我们知道部分管理员和用户可能会遇到此更改相关问题。尤其是,现有的工作流程或服务器环境应用不安全的连接或使用自签名、无效或不受信任证书的 TLS 连接。

要解决这些问题,并继续使用不安全的连接或应用未通过验证的证书的 TLS 连接,您必须向允许列表添加例外情况。

  • 允许列表包含在启用对等验证的情况下通常会失败的 URL 站点条目。

  • 将 URL 例外添加到名为 PeerValidationBypass.txt 的文本文件。

  • 您必须将文件放置在 C:\ProgramData\Alteryx\PeerValidationBypass.txt 中。

  • 如果文件不存在,则默认开启对等验证。但是,请注意,文件存在也不会关闭对等验证。这会使 Designer 和 Server 在连接到文件中列出的特定站点时忽略对等验证。

PeerValidationBypass.txt 要求

PeerValidationBypass.txt 文件中的条目必须遵循以下几条规则:

  • 每行一个完全限定域名 (FQDN) 条目。

  • 仅输入主机名。

  • 移除 URL 开头的 protocol://

  • 从 URL 中移除任何路径、查询和密码。

  • 请勿在条目之间留下空白行。

Using Wildcards

You can configure PeerValidationBypass.txt with FQDNs and IPv4 addresses that contain wildcard characters.

A domain name is a simple structure made of several fields, separated by dots and read from right to left. An example domain name is help.alteryx.com where…

  • The Top-Level Domain (TLD) is com.

  • The labels follow the TLD. alteryx is Label1 and help is Label2.

    • A label is a case-insensitive character sequence anywhere from one to sixty-three characters in length.

    • It contains only the letters A through Z, digits 0 through 9, and the hyphen (-) character (which can’t be the first or last character in the label).

  • The label located right before the TLD is also called a Secondary Level Domain (SLD), alteryx in the example above.

    注意

    A domain name might consist of one field only, or it might consist of two, three, or more than three fields. A fully qualified domain name (FQDN) is always labeled in the format:

    hostname.SLD.TLD

When PeerValidationBypass.txt is parsed to determine whether a particular endpoint’s TLS certificate should be validated, the parser interprets wildcards as follows:

  • An asterisk (*) character matches 0 or more valid label characters.

  • A question mark (?) character matches exactly 1 valid label character.

Domain Name Entry Details

For a domain name entry…

  • If TLD is a country code TLD, wildcard characters are not allowed in the last three fields. Wildcard matching is performed in Label 3 and onwards.

  • If TLD is not a country code TLD, wildcard characters are not allowed in the last two fields. Wildcard matching is performed in Label 2 and onwards.

Example Invalid Domain Name Entries

???.*.com.fr, alteryx*.help.n?t, alteryx.*.net, and hello.world.example*.???

IPv4 Address Entry Details

For an IPv4 address entry…

  • Wildcard characters are not allowed in the first two fields.

  • Wildcard matching is performed in the last two fields.

Example Invalid IPv4 Entries

192.*.*.23, ???.*.123.234, and *.10.100.200

示例条目

Example 1

Suppose Peer Validation blocks this URL:

https://ThisIsATest.com/?category.id=External

In the PeerValidationBypass.txt file, enter this:

ThisIsATest.com

Example 2

Suppose you want to block these URLs with a similar pattern:

  • https://example.ThisIsATest.com/?category.id=External

  • https://warning.ThisIsATest.com/?category.id=External

  • https://info.ThisIsATest.com/?category.id=External

In the PeerValidationBypass.txt file you can block all 3 with one entry, using a wildcard:

*.ThisIsATest.com

Example 3

To block visit.country.france.fr and work.country.france.fr, enter this in the PeerVAlidationBypass.txt file:

*.country.france.fr

注意

TLD is a country code. As a result, wildcard characters are not allowed in the last 3 fields: country.france.fr.

Example 4

To block the 123.12.123.1 and 123.12.123.2 IPv4 addresses, in the PeerValidationBypass.txt file, enter this:

123.12.123.?

补充说明

  • 编辑 PeerValidationBypass.txt 后,每当您在 Alteryx 工具中使用 cURL/OpenSSL 时,都会搜索匹配项。如果 Designer 或 Server 找到匹配项,则会关闭对等验证。

  • 请注意,FIPS 产品会忽略允许列表。

  • 当外部服务器需要由中间 CA 签署的 SSL 证书时,为了避免 SSL 对等验证出现任何错误,请将所需的中间 CA 添加到 Microsoft 管理控制台中的受信任的根证书颁发机构 - 证书文件夹中。