Nginx: Double certificate attestation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

复制代码
# Commen Name 不能相同
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

openssl req -new -newkey rsa:2048 -keyout upstream.key -nodes -out upstream.csr
openssl x509 -req -sha256 -in upstream.csr -out upstream.crt -CA ca.crt -CAkey ca.key -CAcreateserial
openssl verify -CAfile ca.crt upstream.crt

openssl req -new -newkey rsa:2048 -keyout proxy.key -nodes -out proxy.csr
openssl x509 -req -sha256 -in proxy.csr -out proxy.crt -CA ca.crt -CAkey ca.key -CAcreateserial
openssl verify -CAfile -ca.crt proxy.crt
复制代码

 

upstream启用https

复制代码
        ssl_certificate upstream.crt;
        ssl_certificate_key upstream.key;

        ssl_verify_client optional;  # 客户端可不发送证书, 必须发送设为 on
        ssl_verify_depth 2;
        ssl_client_certificate ca.crt;  # 验证客户端的ca证书
            return 201 '
              ssl_client_escaped_cert: $ssl_client_escaped_cert
              ssl_client_cert: $ssl_client_cert
              ssl_client_raw_cert: $ssl_client_raw_cert
              ssl_cipher: $ssl_cipher
              ssl_ciphers: $ssl_ciphers
              ssl_client_fingerprint: $ssl_client_fingerprint
              ssl_client_i_dn: $ssl_client_i_dn
              ssl_client_i_dn_legacy: $ssl_client_i_dn_legacy
              ssl_client_s_dn: $ssl_client_s_dn
              ssl_client_s_dn_legacy: $ssl_client_s_dn_legacy
              ssl_client_serial: $ssl_client_serial
              ssl_client_v_end: $ssl_client_v_end
              ssl_client_v_remain: $ssl_client_v_remain
              ssl_client_verify: $ssl_client_verify
              ssl_curves: $ssl_curves
              ssl_protocol: $ssl_protocol
              ssl_server_name: $ssl_server_name
              ssl_session_id: $ssl_session_id
              ssl_session_reused: $ssl_session_reused\n';
复制代码

 

proxy配置向upstream提供证书:

复制代码
        location ^~ / {
            root /node;  # upstream返回文件存储位置
            proxy_pass https://192.168.8.11:555;
            proxy_ssl_name custom_ssl_name;
            proxy_ssl_verify_depth 4;
            proxy_ssl_certificate proxy.crt;  # 向upstream提供证书
            proxy_ssl_certificate_key proxy.key;
            proxy_ssl_server_name on;  # 设为off, 则proxy_ssl_name无效

            #proxy_hide_header custom-header;  # 隐藏upstream header, case-insensitive
        }
复制代码

 

 

 

 

 

 

 

 

 

posted @   ascertain  阅读(51)  评论(0编辑  收藏  举报
相关博文:
·  Nginx: ngx_http_referer_module ngx_http_secure_link_module
·  update certificate store
·  Nginx SSL 双向认证
·  NGINX 配置 SSL 双向认证
·  Nginx SSL 双向认证,key 生成和配置
阅读排行:
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 单元测试从入门到精通
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律
点击右上角即可分享
微信分享提示
AI IDE Trae