nginx – SSL客户端认证

Nginx 前端之家
前端之家收集整理的这篇文章主要介绍了nginx – SSL客户端认证前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

操作系统:CentOS 7

南方周末:Nginx

现有的东西

> dhparam.pem
> mydomain.com.crt
> mydomain.com.csr
> mydomain.com.key

问题:

我正在尝试通过创建客户端证书来创建客户端验证,然后使用Nginx将一个服务器请求验证到我的目标服务器.但是我经常收到400 Bad Request – 没有发送所需的SSL证书错误消息.我究竟做错了什么?这是我做的:

> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -sha256 -in client.csr -CA mydomain.com.crt -CAkey client.key -set_serial 2 -out client.crt

每个命令都成功运行,但错误仍然存​​在.同样在我的Nginx中,在目标服务器上,我有:

ssl_certificate         /etc/Nginx/ssl/mydomain.com.crt;
ssl_certificate_key     /etc/Nginx/ssl/mydomain.com.key;
ssl_client_certificate  /etc/Nginx/ssl/mydomain.com.crt;

Nginx配置:

server {
    listen 80;
    listen 443 ssl;

    ssl_dhparam /etc/Nginx/ssl/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    ssl_certificate         /etc/Nginx/ssl/mydomain.com.crt;
    ssl_certificate_key     /etc/Nginx/ssl/mydomain.com.key;
    ssl_client_certificate  /etc/Nginx/ssl/client.crt;

    ssl_verify_client optional;

    server_name uploads.mydomain.com;
    root /var/www/html/com.mydomain.uploads/public;

    error_log /var/log/Nginx/mydomain.com/error.log;
    access_log /var/log/Nginx/mydomain.com/access.log main;

    index index.PHP;

    rewrite ^/index\.PHP?(.*)$/$1 permanent;

    location / {
        try_files $uri @rewrite;
    }

    location @rewrite {
        rewrite ^(.*)$/index.PHP/$1 last;
    }

    location ~ ^/index.PHP(/|$) {
        fastcgi_pass unix:/var/run/PHP-fpm/uploads.sock;
        fastcgi_split_path_info ^(.+\.PHP)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SSL_CLIENT_VERIFY    $ssl_client_verify;
        fastcgi_param SSL_CLIENT_S_DN       $ssl_client_s_dn;
    }
}
最佳答案
这是一个非常愚蠢的错误,现在我为自己感到羞耻.

我认为网站证书与CA证书相同.所以现在我已经创建了新的ca.key和ca.crt文件,并与他们签署了客户证书,瞧. 原文链接:https://www.f2er.com/nginx/435173.html

certificate

猜你在找的Nginx相关文章

Nginx基础知识学习(安装/进程模型/事件处理机制/详细配置/定时切割日志)
一、Linux下Nginx的安装 1.去官网 http://nginx.org/download/下载对应的Nginx安...
Nginx配置文件nginx.conf中location的匹配原则
一、空格:默认匹配、普通匹配 location / { root /home; } 二、= :精确匹配(表示匹配到...
nginx指定配置文件启动
``` nginx -c 配置文件路径 ``` ``` /usr/local/nginx/sbin/nginx -c /usr/local/nginx/co...
你真的了解负载均衡中间件nginx吗?
前言 nginx可所谓是如今最好用的软件级别的负载均衡了。通过nginx的高性能,并发能力强,占...
Ngnix负载均衡安装及配置
1.ngnix概念 Nginx是一款高性能的http 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理...
[Linux] nginx的try_files指令实现隐藏index.php的重写
1.nginx的try_files指令 ,核心功能是替代rewrite,并且比rewrite更强大的是可以按顺序查找...
[日常] 前端资源测试机上忽略版本号的的nginx配置
利用nginx的rewrite的指令,可以实现url的重新跳转,rewrtie有四种不同的flag,分别是redi...
[Nginx] 1.17.9中的更改日志
1. 不允许多个Host请求头 2. 忽略额外的Transfer-Encoding请求头 3.修复在HTTP/2时的socke...
[Linux] 解决nginx: [emerg] directive "rewrite" is not terminated by ";"
解决nginx: [emerg] directive "rewrite" is not terminated by &q...
[Nginx] location与rewrite配合处理项目的重写和路径问题
某个项目中路由是通过$_SERVER['REQUEST_URI']来进行的匹配处理 , 并且隐...
LinuxWindowsCentOSUbuntuNginxWebServiceScalaMemcacheApacheRedisDockerBashAzureTomcatLNMPShell数据结构服务器运维网络安全
xebugnodemondocker-copydcoselasticsearcwindows-contdocker-windodocker-awsamazon-cloudenvoyproxyhashicorp-vaswisscomdevkafka-pythonzscalerphoton-osdocker-swarmkamongoogle-cloudconcoursewso2-ampersistent-vapi-managerprocess-manamanjarojenkins-workhypriotremoteapikeystonejsbitcoindbitcoin-test