如何在Nginx和tomcat中使用受信任的证书?
[英]How to use trusted certificate with nginx and tomcat?
问题描述
I am integrating a merchant with our application. 
我正在将商人与我们的应用程序集成在一起。 The merchant provides us with JKS, KEY, PEM and P12 file along with Certificate Password. 商家向我们提供了JKS,KEY,PEM和P12文件以及证书密码。
In the development server, the integration works with JKS certificate and Certificate Password which is implemented using HttpsURLConnection. 在开发服务器中,集成与JKS证书和使用HttpsURLConnection实现的证书密码一起使用。
SSLContext sc = SSLContext.getInstance("TLSv1.2"); KeyManagerFactory kmf; KeyStore ks; char[] passphrase = keystore_password.toCharArray(); kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keystore_path), passphrase); kmf.init(ks, passphrase); sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HostnameVerifier hv = new HostnameVerifier() {
@Override public boolean verify(String urlHostName, SSLSession session) { if (!urlHostName.equalsIgnoreCase(session.getPeerHost())) { logger.warn("Warning: URL host ' " + urlHostName + " ' is different to SSLSession host ' " + urlHostName + " '"); } return true; } };
In the upper environment, the TOMCAT is in DMZ Zone and interact external world via the nginx only. 在上层环境中,TOMCAT位于DMZ区域,仅通过nginx与外部世界进行交互。
The tomcat request nginx server with actual URL in a header and the header is parsed by nginx and forward the request to URL and render the response to tomcat. tomcat请求nginx服务器的标头中包含实际URL,nginx解析标头并将请求转发到URL,并将响应呈现给tomcat。
Question 题
How do i forward the request with credential via nginx to merchant? 如何通过Nginx将带有凭据的请求转发给商家?
1 个解决方案
解决方案1
0 2018-11-22 20:01:40
You can't "forward" it. 您不能“转发”它。 To process HTTP requests based on the contents of the header, nginx must decrypt the incoming data and re-encrypt the outgoing, modified data. 要基于标头的内容处理HTTP请求,nginx必须解密传入的数据并重新加密传出的修改后的数据。 Since the whole point of a security protocol like SSL/TLS is that nobody other than the authorized endpoints can see or alter the data, nginx must terminate the client-side SSL/TLS session itself and create a separate server-side SSL/TLS session over which the HTTP-level data is forwarded. 由于像SSL / TLS这样的安全协议的全部要点是,除授权端点外,其他任何人都无法看到或更改数据,因此nginx必须终止客户端SSL / TLS会话本身并创建单独的服务器端SSL / TLS会话在其上转发HTTP级别的数据。
Thus to authenticate to the 'merchant' server, it is nginx that must be configured with the client certificate including chain cert(s) if applicable and matching privatekey, see http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate et seq. 因此,要向“商户”服务器进行身份验证,必须使用客户端证书(包括链证书)(如果适用)和匹配的私钥对nginx进行配置,请参阅http://nginx.org/en/docs/http/ngx_http_proxy_module。 html#proxy_ssl_certificate等。
(If you didn't already have them, you could convert JKS to PKCS12 with keytool -importkeystore and PKCS12 to PEM with openssl pkcs12 -- there are numerous existing Qs on both here and on other Stacks like superuser and serverfault.) (如果还没有,可以使用keytool -importkeystore将JKS转换为PKCS12,使用openssl pkcs12将PKCS12转换为PEM -在这里和其他堆栈(如超级用户和serverfault)上都有大量现有的Q。)
Whether the session from the (real) client to nginx is authenticated with the same cert, a different cert, or not authenticated with a cert at all, is up to the configuration of nginx. 从(实际)客户端到nginx的会话是使用同一证书,其他证书进行身份验证还是完全不使用证书进行身份验证,取决于nginx的配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.