Nginx: Double certificate attestation
# Commen Name 不能相同 openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl req -new -newkey rsa:2048 -keyout upstream.key -nodes -out upstream.csr openssl x509 -req -sha256 -in upstream.csr -out upstream.crt -CA ca.crt -CAkey ca.key -CAcreateserial openssl verify -CAfile ca.crt upstream.crt openssl req -new -newkey rsa:2048 -keyout proxy.key -nodes -out proxy.csr openssl x509 -req -sha256 -in proxy.csr -out proxy.crt -CA ca.crt -CAkey ca.key -CAcreateserial openssl verify -CAfile -ca.crt proxy.crt
upstream启用https
ssl_certificate upstream.crt; ssl_certificate_key upstream.key; ssl_verify_client optional; # 客户端可不发送证书, 必须发送设为 on ssl_verify_depth 2; ssl_client_certificate ca.crt; # 验证客户端的ca证书 return 201 ' ssl_client_escaped_cert: $ssl_client_escaped_cert ssl_client_cert: $ssl_client_cert ssl_client_raw_cert: $ssl_client_raw_cert ssl_cipher: $ssl_cipher ssl_ciphers: $ssl_ciphers ssl_client_fingerprint: $ssl_client_fingerprint ssl_client_i_dn: $ssl_client_i_dn ssl_client_i_dn_legacy: $ssl_client_i_dn_legacy ssl_client_s_dn: $ssl_client_s_dn ssl_client_s_dn_legacy: $ssl_client_s_dn_legacy ssl_client_serial: $ssl_client_serial ssl_client_v_end: $ssl_client_v_end ssl_client_v_remain: $ssl_client_v_remain ssl_client_verify: $ssl_client_verify ssl_curves: $ssl_curves ssl_protocol: $ssl_protocol ssl_server_name: $ssl_server_name ssl_session_id: $ssl_session_id ssl_session_reused: $ssl_session_reused\n';
proxy配置向upstream提供证书:
location ^~ / { root /node; # upstream返回文件存储位置 proxy_pass https://192.168.8.11:555; proxy_ssl_name custom_ssl_name; proxy_ssl_verify_depth 4; proxy_ssl_certificate proxy.crt; # 向upstream提供证书 proxy_ssl_certificate_key proxy.key; proxy_ssl_server_name on; # 设为off, 则proxy_ssl_name无效 #proxy_hide_header custom-header; # 隐藏upstream header, case-insensitive }
