nginx – SSL客户端认证

前端之家收集整理的这篇文章主要介绍了nginx – SSL客户端认证前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

操作系统:CentOS 7

南方周末:Nginx

现有的东西

> dhparam.pem
> mydomain.com.crt
> mydomain.com.csr
> mydomain.com.key

问题:

我正在尝试通过创建客户端证书来创建客户端验证,然后使用Nginx将一个服务器请求验证到我的目标服务器.但是我经常收到400 Bad Request – 没有发送所需的SSL证书错误消息.我究竟做错了什么?这是我做的:

> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -sha256 -in client.csr -CA mydomain.com.crt -CAkey client.key -set_serial 2 -out client.crt

每个命令都成功运行,但错误仍然存​​在.同样在我的Nginx中,在目标服务器上,我有:

  1. ssl_certificate /etc/Nginx/ssl/mydomain.com.crt;
  2. ssl_certificate_key /etc/Nginx/ssl/mydomain.com.key;
  3. ssl_client_certificate /etc/Nginx/ssl/mydomain.com.crt;

Nginx配置:

  1. server {
  2. listen 80;
  3. listen 443 ssl;
  4. ssl_dhparam /etc/Nginx/ssl/dhparam.pem;
  5. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  6. ssl_prefer_server_ciphers on;
  7. ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  8. add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  9. ssl_certificate /etc/Nginx/ssl/mydomain.com.crt;
  10. ssl_certificate_key /etc/Nginx/ssl/mydomain.com.key;
  11. ssl_client_certificate /etc/Nginx/ssl/client.crt;
  12. ssl_verify_client optional;
  13. server_name uploads.mydomain.com;
  14. root /var/www/html/com.mydomain.uploads/public;
  15. error_log /var/log/Nginx/mydomain.com/error.log;
  16. access_log /var/log/Nginx/mydomain.com/access.log main;
  17. index index.PHP;
  18. rewrite ^/index\.PHP?(.*)$/$1 permanent;
  19. location / {
  20. try_files $uri @rewrite;
  21. }
  22. location @rewrite {
  23. rewrite ^(.*)$/index.PHP/$1 last;
  24. }
  25. location ~ ^/index.PHP(/|$) {
  26. fastcgi_pass unix:/var/run/PHP-fpm/uploads.sock;
  27. fastcgi_split_path_info ^(.+\.PHP)(/.*)$;
  28. include fastcgi_params;
  29. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  30. fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
  31. fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
  32. }
  33. }
最佳答案
这是一个非常愚蠢的错误,现在我为自己感到羞耻.

我认为网站证书与CA证书相同.所以现在我已经创建了新的ca.key和ca.crt文件,并与他们签署了客户证书,瞧.

猜你在找的Nginx相关文章