nginx 代理服务器配置双向证书验证的方法
生成证书链
用脚本生成一个根证书,一个中间证书(intermediate),三个客户端证书.
脚本来源于(有修改)
https://stackoverflow.com/questions/26759550/how-to-create-own-self-signed-root-certificate-and-intermediate-ca-to-be-importe
中间证书的域名为localhost.
#!/bin/bash-x set-e forCin`echoroot-caintermediate`;do mkdir$C cd$C mkdircertscrlnewcertsprivate cd.. echo1000>$C/serial touch$C/index.txt$C/index.txt.attr echo' [ca] default_ca=CA_default [CA_default] dir='$C'#Whereeverythingiskept certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate serial=$dir/serial#Thecurrentserialnumber crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/ca.key.pem#Theprivatekey RANDFILE=$dir/.rnd#privaterandomnumberfile nameopt=default_ca certopt=default_ca policy=policy_match default_days=365 default_md=sha256 [policy_match] countryName=optional stateOrProvinceName=optional organizationName=optional organizationalUnitName=optional commonName=supplied emailAddress=optional [req] req_extensions=v3_req distinguished_name=req_distinguished_name [req_distinguished_name] [v3_req] basicConstraints=CA:TRUE '>$C/openssl.conf done opensslgenrsa-outroot-ca/private/ca.key2048 opensslreq-configroot-ca/openssl.conf-new-x509-days3650-keyroot-ca/private/ca.key-sha256-extensionsv3_req-outroot-ca/certs/ca.crt-subj'/CN=Root-ca' opensslgenrsa-outintermediate/private/intermediate.key2048 opensslreq-configintermediate/openssl.conf-sha256-new-keyintermediate/private/intermediate.key-outintermediate/certs/intermediate.csr-subj'/CN=localhost.' opensslca-batch-configroot-ca/openssl.conf-keyfileroot-ca/private/ca.key-certroot-ca/certs/ca.crt-extensionsv3_req-notext-mdsha256-inintermediate/certs/intermediate.csr-outintermediate/certs/intermediate.crt mkdirout forIin`seq13`;do opensslreq-new-keyoutout/$I.key-outout/$I.request-days365-nodes-subj"/CN=$I.example.com"-newkeyrsa:2048 opensslca-batch-configroot-ca/openssl.conf-keyfileintermediate/private/intermediate.key-certintermediate/certs/intermediate.crt-outout/$I.crt-infilesout/$I.request done
服务器
nginx配置
worker_processes1; events{ worker_connections1024; } stream{ upstreambackend{ server127.0.0.1:8080; } server{ listen8888ssl; proxy_passbackend; ssl_certificateintermediate.crt; ssl_certificate_keyintermediate.key; ssl_verify_depth2; ssl_client_certificateroot.crt; ssl_verify_clientoptional_no_ca; } }
客户端
curl\ -I\ -vv\ -xhttps://localhost:8888/\ --proxy-certclient1.crt\ --proxy-keyclient1.key\ --proxy-cacertca.crt\ https://www.baidu.com/
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持毛票票。