[英]TLS client authentication with Nginx and Tomcat web application
I have a Tomcat 8 web application, it runs on the port 8080 on the server. 我有一个Tomcat 8 Web应用程序,它在服务器上的端口8080上运行。 Any incoming request to port 443 is forwarded to localhost:8080 using Nginx to serve the web application. 使用Nginx为Web应用程序提供服务的端口443的任何传入请求都转发到localhost:8080。
I am trying to set up mutual authentication & then parse the client cert that was used for the authentication by the application. 我正在尝试设置相互身份验证,然后解析该应用程序用于身份验证的客户端证书。 This information will then be used by the application to decide if the user should have admin
or user
rights. 然后,应用程序将使用此信息来确定用户是否应具有admin
或user
权限。 The client cert will bear the string admin
or user
in the Common Name (CN) field. 客户端证书将在“公用名(CN)”字段中包含字符串admin
或user
。
I am able to achieve the mutual authentication & below is the current nginx ssl.conf But the problem is that the cert info is not passed to the tomcat web application to parse the data. 我能够实现相互身份验证,以下是当前的nginx ssl.conf,但是问题是证书信息没有传递到tomcat Web应用程序来解析数据。 Is there a way available in nginx to pass on the client cert data, so the tomcat8 application can use that? nginx中是否有一种方法可以传递客户端证书数据,因此tomcat8应用程序可以使用该方法?
server {
listen 443 default_server;
server_name name.domain.com;
ssl on;
ssl_certificate /etc/nginx/self-signed.pem;
ssl_certificate_key /etc/nginx/self-signed.pem;
ssl_protocols SSLv2 TLSv1 TLSv1.1 TLSv1.2;
ssl_client_certificate /etc/nginx/ca.cert.pem;
ssl_verify_client optional;
ssl_verify_depth 2;
ssl_session_timeout 5m;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
port_in_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#test page for the load balancer
location /loadbalancer {
add_header X-Frame-Options "DENY";
auth_basic off;
#proxy_pass http://localhost:8080;
try_files $uri /test.html;
}
location /webapi {
add_header X-Frame-Options "DENY";
auth_basic off;
proxy_pass http://localhost:8080;
}
location / {
if ($ssl_client_verify != SUCCESS)
{
return 403;
break;
}
add_header X-Frame-Options "DENY";
proxy_pass http://localhost:8080;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
You can use the proxy_set_header directive to pass additional headers to your tomcat. 您可以使用proxy_set_header指令将其他标头传递给您的tomcat。
Available variables 可用变量
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_cipher http://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_cipher
Example 例
proxy_set_header SSL_DN $ssl_client_s_dn;
In your Java app you can read this headers for further processing. 在Java应用程序中,您可以阅读此标头以进行进一步处理。
On a side note I would not save the access level in the certificate but in a server side database, that way you could reassign / change / add roles easier or revoke a valid certificate. 附带说明,我不会将访问级别保存在证书中,而是保存在服务器端数据库中,这样您可以更轻松地重新分配/更改/添加角色或撤销有效证书。
EDIT Actually nginx supports certificate revocation lists as well: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl 编辑实际上,nginx也支持证书吊销列表: http : //nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl
Good article for nginx + php which can be easily adapted into your use case: 关于nginx + php的好文章,可以很容易地适应您的用例:
http://nategood.com/client-side-certificate-authentication-in-ngi http://nategood.com/client-side-certificate-authentication-in-ngi
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.