使用Nginx proxy_pass时的客户端身份验证
[英]client authentication when using nginx proxy_pass
问题描述
My question is about nginx directive "proxy_pass". 
我的问题是关于nginx指令“ proxy_pass”。
I have an http server and I need to redirect requests using https. 我有一个http服务器,我需要使用https重定向请求。 I'm using the following statement: proxy_pass https://secure.server In wireshark I see that there is a SSL handshake, but client (nginx proxy_pass https:) did not send certificate on server's SSL certificate request. 我正在使用以下语句:proxy_pass https://secure.server在Wireshark中,我看到有SSL握手,但是客户端(nginx proxy_pass https :)没有在服务器的SSL证书请求上发送证书。 Verifying client certificate is necessary by server. 服务器需要验证客户端证书。 How can I force proxy_pass to send client certificate when using https ? 使用https时,如何强制proxy_pass发送客户端证书? Below is part of nginx.conf configuration file: 以下是nginx.conf配置文件的一部分:
server {
listen 8888;
server_name _;
error_page 405 =200 $uri;
ssl_certificate /usr/local/cert.pem;
ssl_certificate_key /usr/local/cert.pem
ssl_client_certificate /usr/local/ca.cer;
location ~ /uri/(.+) {
proxy_pass https://secure.server;
break;
}
}
3 个解决方案
解决方案1
0 2013-02-20 00:37:17
You need to enable SSL client certificate verification. 您需要启用SSL客户端证书验证。
Add this under the other SSL configurations: 将其添加到其他SSL配置下:
ssl_verify_client on;
解决方案2
0 2014-11-13 20:01:00
I'm looking for the same solution as well. 我也在寻找相同的解决方案。
I found SEnginx, which has a module called "Proxy HTTPS Client Certificate". 我找到了SEnginx,它有一个名为“代理HTTPS客户端证书”的模块。 From the description it seems that is should allow for client certificates, but I could not get it to work for me. 从描述看来,应该允许客户端证书,但是我无法让它为我工作。 The backend server simply would not prompt the client for a certificate. 后端服务器根本不会提示客户端输入证书。
Following is the link to SEnginx . 以下是指向SEnginx的链接。
Also: Here is a possible explanation as to why this might not be possible. 另外: 以下是关于为何无法实现的可能解释。
解决方案3
0 2019-06-30 20:58:26
During ssl handshake, the server will send "client certificate ca names". 在ssl握手过程中,服务器将发送“客户端证书ca名称”。 (ie) The server will accept the client certificates only from those CAs. (即)服务器仅接受来自那些CA的客户端证书。 Client will send send client certificate only if it has a cert signed by those CA. 客户端只有在具有那些CA签名的证书的情况下,才会发送发送客户端证书。
So in your case, verify 1. The CA names send by server for client cert request. 因此,在您的情况下,请验证1。服务器为客户端证书请求发送的CA名称。 This will be the CAs you have configured in the truststore of the server. 这将是您在服务器的信任库中配置的CA。 (ie) During ssl handshake look for CertificateRequest message (ie)在ssl握手期间查找CertificateRequest消息
Make sure you client cert is signed by one of those CA
确保您的客户端证书已由这些CA之一签名 Best option is to verify with curl, both your client and server certificates are configured properly curl -vvv --cert /usr/local/cert.pem https://secure.server If you are not able to figure out with the curl output, please paste the curl output
最好的选择是使用curl进行验证,您的客户端证书和服务器证书都已正确配置curl -vvv --cert /usr/local/cert.pem https://secure.server如果无法弄清curl输出,请粘贴卷曲输出
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.