NGINX+OPENSSL实现SSL双向认证
1. 目的
2. SSL身份认证机制
3. 利用OPENSSL生成证书
4. Nginx发布证书,实现SSL双向认证
5. Ruby+客户端证书访问网站
1.目的
搭建SSL双向证书认证
实现按IP授权、按客户端证书号限制访问权限
2.SSL证书身份验证机制
http://www.co.ccpit.org/ca/Htm/menu-item-frame2-content10.htm
http://lulu87.blog.51cto.com/1244696/379556
3.利用OPENSSL生成证书
http://www.gaojinbo.com/openssl-%E7%94%9F%E6%88%90%E8%87%AA%E7%AD%BE%E8%AF%81%E4%B9%A6.html
http://blog.jamiesun.me/archives/tag/nginx
4.Nginx发布实现SSL双向验证
1.双向认证+根据证书序列号进行限制
server {
listen 8081;
server_name liuwm-pc@grandsoft.com.cn;
#charset koi8-r;
#access_log logs/host.access.log main;
root D:/www-date/public;
location ^~/1 {
if ( $ssl_client_serial !~* "9783A95824D433EC" )
{
return 403;
}
#root D:/www-date/public;
#allow 192.168.69.182;
#deny all;
#index index.html index.htm;
}
location ^~/2 {
if ( $ssl_client_serial !~* "9783A95824D433EC" )
{
return 403;
}
#root D:/www-date/public;
#allow 192.168.69.80;
#deny all;
#index index.html index.htm;
}
location / {
if ( $ssl_client_serial ~* "9783A95824D433EC" )
{
return 403;
}
#deny all;
#root D:/www-date/public;
#index index.html index.htm;
}
#error_page 404 /404.html;
#SSL
ssl on;
ssl_certificate E:/nginx/nginx-1.1.7/ssl/server.crt;
ssl_certificate_key E:/nginx/nginx-1.1.7/ssl/server_no.key;
ssl_client_certificate E:/nginx/nginx-1.1.7/ssl/ca.crt;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
5.Ruby+客户端证书访问网站
