nginx代理服务器配置双向证书验证的方法
生成证书链
用脚本生成一个根证书,一个中间证书(intermediate),三个客户端证书.
中间证书的域名为localhost.
#!/bin/bash-x set-e forCin`echoroot-caintermediate`;do mkdir$C cd$C mkdircertscrlnewcertsprivate cd.. echo1000>$C/serial touch$C/index.txt$C/index.txt.attr echo' [ca] default_ca=CA_default [CA_default] dir='$C'#Whereeverythingiskept certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate serial=$dir/serial#Thecurrentserialnumber crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/ca.key.pem#Theprivatekey RANDFILE=$dir/.rnd#privaterandomnumberfile nameopt=default_ca certopt=default_ca policy=policy_match default_days=365 default_md=sha256 [policy_match] countryName=optional stateOrProvinceName=optional organizationName=optional organizationalUnitName=optional commonName=supplied emailAddress=optional [req] req_extensions=v3_req distinguished_name=req_distinguished_name [req_distinguished_name] [v3_req] basicConstraints=CA:TRUE '>$C/openssl.conf done opensslgenrsa-outroot-ca/private/ca.key2048 opensslreq-configroot-ca/openssl.conf-new-x509-days3650-keyroot-ca/private/ca.key-sha256-extensionsv3_req-outroot-ca/certs/ca.crt-subj'/CN=Root-ca' opensslgenrsa-outintermediate/private/intermediate.key2048 opensslreq-configintermediate/openssl.conf-sha256-new-keyintermediate/private/intermediate.key-outintermediate/certs/intermediate.csr-subj'/CN=localhost.' opensslca-batch-configroot-ca/openssl.conf-keyfileroot-ca/private/ca.key-certroot-ca/certs/ca.crt-extensionsv3_req-notext-mdsha256-inintermediate/certs/intermediate.csr-outintermediate/certs/intermediate.crt mkdirout forIin`seq13`;do opensslreq-new-keyoutout/$I.key-outout/$I.request-days365-nodes-subj"/CN=$I.example.com"-newkeyrsa:2048 opensslca-batch-configroot-ca/openssl.conf-keyfileintermediate/private/intermediate.key-certintermediate/certs/intermediate.crt-outout/$I.crt-infilesout/$I.request done
服务器
nginx配置
worker_processes1; events{ worker_connections1024; } stream{ upstreambackend{ server127.0.0.1:8080; } server{ listen8888ssl; proxy_passbackend; ssl_certificateintermediate.crt; ssl_certificate_keyintermediate.key; ssl_verify_depth2; ssl_client_certificateroot.crt; ssl_verify_clientoptional_no_ca; } }
客户端
curl\ -I\ -vv\ -xhttps://localhost:8888/\ --proxy-certclient1.crt\ --proxy-keyclient1.key\ --proxy-cacertca.crt\ https://www.baidu.com/
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,谢谢大家对毛票票的支持。如果你想了解更多相关内容请查看下面相关链接
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。