@H_404_1@我想通过Nginx代理请求标头’HTTP_X_SSL_CLIENT_S_DN’.
@H_404_1@这是我们的服务器网络结构.
@H_404_1@
[front server:443] <---> [Nginx proxy:8004] <---> [application server:8008]
(client cert auth)
server {
listen 8004;
index index.html;
location / {
proxy_pass_header Server;
proxy_pass_header X-Scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://app-server/;
# TODO: to proxy 'HTTP_X_SSL_CLIENT_S_DN'
# Failed settings
# proxy_pass_request_headers on; # not worked (default: on)
# proxy_pass_header X-SSL-Client-S-DN; # none
# proxy_pass_header X_SSL_CLIENT_S_DN; # none
# proxy_pass_header HTTP_X_SSL_CLIENT_S_DN; # none
# proxy_pass_header HTTP-X-SSL-CLIENT-S-DN; # none
# proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; # none
# proxy_set_header X_SSL_Client_S_DN $x_ssl_client_s_dn; # none
# proxy_set_header X-SSL-Client-S-DN $http_ssl_client_s_dn; # none
# proxy_set_header X-SSL-Client-S-DN $http_x_ssl_client_s_dn; # none
}
}
upstream app-server {
server 127.0.0.1:8008;
}
最佳答案
首先,请确保已配置Nginx.conf来验证客户端证书!我有完全相同的问题你描述.
@H_404_1@
server {
# ...
ssl_client_certificate /srv/ssl/self.crt;
ssl_verify_depth 1;
ssl_verify_client on;
# ...
location @app { # I'm using Nginx+unicorn,don't blindly copy this! :)
# ...
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;
# ...
}
openssl genrsa -out me.key 1024
openssl req -new -key me.key -out me.csr
openssl x509 -req -days 365 -in me.csr -CA self.crt -CAkey self.key -set_serial 01 -out me.crt
curl -v -s -k --key me.key --cert me.crt https://fort-awesome-o
openssl pkcs12 -export -in me.crt -inkey me.key -certfile self.crt -out me.p12
