From tit на irk.ru Tue Oct 5 06:38:09 2021 From: tit на irk.ru (Alexander Titaev) Date: Tue, 5 Oct 2021 14:38:09 +0800 Subject: auth by cert Message-ID: <2710380914.20211005143809@irk.ru> Здравствуйте, Nginx-ru. берем мануал https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ и строгаем песочницу [root на localhost ~]# cat /etc/nginx/conf.d/test.conf server { listen *:443 ssl; listen *:1443 ssl; server_name test; access_log /var/log/nginx/test_access.log; error_log /var/log/nginx/test_error.log; ssl_certificate /etc/nginx/ssl/test.crt; ssl_certificate_key /etc/nginx/ssl/test.key; ssl_client_certificate /etc/nginx/ssl/ca.crt; ssl_verify_client on; root /var/www; location / { } } [root на localhost ~]# cat /etc/nginx/conf.d/proxy.conf server { listen *:443 ssl; server_name proxy; access_log /var/log/nginx/proxy_access.log; error_log /var/log/nginx/proxy_error.log ; ssl_certificate /etc/nginx/ssl/proxy.crt; ssl_certificate_key /etc/nginx/ssl/proxy.key; root /var/www1; location / { } location /test { rewrite ^/test(.*)$ $1 break; proxy_pass https://test; proxy_set_header Host test; proxy_ssl_certificate /etc/nginx/ssl/client.crt; proxy_ssl_certificate_key /etc/nginx/ssl/client.key; proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt; proxy_ssl_verify off; } location /test2 { rewrite ^/test2(.*)$ $1 break; proxy_pass https://test:1443; proxy_set_header Host test; proxy_ssl_certificate /etc/nginx/ssl/client.crt; proxy_ssl_certificate_key /etc/nginx/ssl/client.key; proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt; proxy_ssl_verify on; } } тестируем [root на localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve test:443:127.0.0.1 https://test Mon Oct 4 10:37:00 UTC 2021 работает [root на localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve test:1443:127.0.0.1 https://test:1443 Mon Oct 4 10:37:00 UTC 2021 работает [root на localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test2/ Mon Oct 4 10:37:00 UTC 2021 работает [root на localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test/ 400 Bad Request No required SSL certificate was sent nginx/1.20.1 и еще, если сделать proxy_ssl_verify on; [root на localhost ~]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test/