nginx ssl 双向认证
Nginx的浏览器/服务器双向SSL证书认证配置
文章分类:操作系统 最近的项目中需要安全性控制,而我又懒得改动后台的程序代码,故而想在反向代理层加入SSL证书验证。
一直在用Nginx做反向代理,但是其SSL的配置只用过普通的服务端单向证书。在Google,百度狂搜一通之后,一无所获,依旧是那老三样,只有单向认证的示例。浏览器端双向认证的配置好像从没人写过。
无奈之下,只好从OpenSSL的客户端证书开始学起,一点一点啃,大段大段的E文让我这半瓶子醋看的头晕眼晕。最后在
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
的提示下终于把这个证书搞定,来秀一个。
这需要一下几个步骤:
1) 安装openssl用来做证书认证
2) 创建一个CA根证书
3) 创建一个自签名的服务器证书
4) 设置Nginx
5) 创建客户端证书
6) 安装客户端证书到浏览器
7) Profit.
1)
这一步我是在ubuntu下直接apt-get装的openssl, 配置文件安装在/etc/ssl/openssl.cnf
修改openssl.cnf的以下几段
[ ca ]
default_ca = foo
Openssl将会寻找名称为foo的配置段
- [ foo ]
- dir = /etc/ssl/private
- database = $dir/index.txt
- serial = $dir/serial
- private_key = $dir/ca.key
- certificate = $dir/ca.crt
- default_days = 3650
- default_md = md5
- new_certs_dir = $dir
- policy = policy_match
[ foo ]
dir = /etc/ssl/private
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/ca.key
certificate = $dir/ca.crt
default_days = 3650
default_md = md5
new_certs_dir = $dir
policy = policy_match
policy_match 我保持默认值没有改
- [ policy_match ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = match
- commonName = supplied
- emailAddress = optional
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
默认签发有效期为10年,你可以自己设置一个合适的值
2)
创建一个新的CA根证书
下面的几个脚本我都放在/etc/ssl目录下
new_ca.sh:
- #!/bin/sh
- # Generate the key.
- openssl genrsa -out private/ca.key
- # Generate a certificate request.
- openssl req -new -key private/ca.key -out private/ca.csr
- # Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
- # I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
- # service will never see the light of an unencrypted Internet see the cheap and lazy remark.
- # So self sign our root key.
- openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
- # Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
- echo FACE > private/serial
- # Create the CA's key database.
- touch private/index.txt
- # Create a Certificate Revocation list for removing 'user certificates.'
- openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
#!/bin/sh
# Generate the key.
openssl genrsa -out private/ca.key
# Generate a certificate request.
openssl req -new -key private/ca.key -out private/ca.csr
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
# So self sign our root key.
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
echo FACE > private/serial
# Create the CA's key database.
touch private/index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
执行 sh new_ca.sh 生成新的CA证书
3)
生成服务器证书的脚本
new_server.sh:
- # Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
- openssl genrsa -out private/server.key
- # Take our key and create a Certificate Signing Request for it.
- openssl req -new -key private/server.key -out private/server.csr
- # Sign this bastard key with our bastard CA key.
- openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out private/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key private/server.key -out private/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt
执行 sh new_server.sh 生成新服务器的证书
4)
最要命的一步,尝试多次后终于搞明白。
配置 nginx 的ssl支持
我的配置如下:
- # HTTPS server
- #
- server {
- listen 443;
- server_name localhost;
# HTTPS server
#
server {
listen 443;
server_name localhost;
- # 打开ssl
- ssl on;
- # 上一步生成的服务器证书
- ssl_certificate /etc/ssl/private/server.crt;
- # 服务器证书公钥
- ssl_certificate_key /etc/ssl/private/server.key;
- # 客户端证书签名 也就是第二步生成的CA签名证书
- ssl_client_certificate /etc/ssl/private/ca.crt;
- # ssl session 超时
- ssl_session_timeout 5m;
- # 打开SSL客户端校验 (双向证书检测)
- ssl_verify_client on;
- #ssl_protocols SSLv2 SSLv3 TLSv1;
- #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
- ssl_prefer_server_ciphers on;
- location / {
- root /var/www/nginx-default;
- index index.html index.htm;
- }
# 打开ssl
ssl on;
# 上一步生成的服务器证书
ssl_certificate /etc/ssl/private/server.crt;
# 服务器证书公钥
ssl_certificate_key /etc/ssl/private/server.key;
# 客户端证书签名 也就是第二步生成的CA签名证书
ssl_client_certificate /etc/ssl/private/ca.crt;
# ssl session 超时
ssl_session_timeout 5m;
# 打开SSL客户端校验 (双向证书检测)
ssl_verify_client on;
#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root /var/www/nginx-default;
index index.html index.htm;
}
启动你的nginx ,等待客户连接
5)
现在来生成客户端证书
new_user.sh:
- #!/bin/sh
- # The base of where our SSL stuff lives.
- base="/etc/ssl/private"
- # Were we would like to store keys... in this case we take the username given to us and store everything there.
- mkdir -p $base/users/$1/
- # Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
- openssl genrsa -des3 -out $base/users/$1/$1.key 1024
- # Create a Certificate Signing Request for said key.
- openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
- # Sign the key with our CA's key and cert and create the user's certificate out of it.
- openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
- # This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
- # The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
- # Take the same precaution with the export password that would take with any other password based authentication scheme.
- openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/ssl/private"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/$1/
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/$1/$1.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
执行 sh new_user.sh yourname 来生成一个 yourname 的client证书
按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配
也就是第一步时配置的:
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = match
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
不一致的话无法生成最后的客户证书
6)
发送上一步生成的 yourname.p12 到客户端。
IE下双击安装就可以导入。
FireFox安装 :
Go into preferences.
Advanced.
View Certificates.
Import.
Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access).
Enter in the export password given to you by the dude who created your cert.
Hit OK like a mad man.
打开网站会弹出对话框来要求你选择使用哪个证书,选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误
转载于:https://blog.51cto.com/jasonzhoa/542584
nginx ssl 双向认证相关推荐
- SSL双向认证的实现
2019独角兽企业重金招聘Python工程师标准>>> 环境 系统:archlinux/centOS nginx:nginx/1.12.2 浏览器:火狐firefox 前提:1.安装 ...
- Nginx的双向认证
Nginx的双向认证 一.前言 参考链接 OPENSSL加密DSA,RSA介绍 客户端默认是相信权威CA机构的,操作系统内置了CA证书. 说白了就是操作系统默认就有了CA证书的公钥,比如我们能访问ht ...
- php使用curl库进行ssl双向认证
官方文档: http://www.php.net/manual/zh/function.curl-setopt.php#10692 官方举例: <?php curl_setopt($ch, CU ...
- 服务器双向认证 原理,什么叫SSL双向认证 SSL双向认证过程是怎样的
我们都知道SSL认证能够分成SSL双向认证和SSL单向认证.那么,什么是SSL双向认证?SSL双向认证过程又是怎样的?小编就在接下来的内容为各位详细讲述. 什么叫SSL双向认证 SSL双向认证则是需要 ...
- SSL双向认证和SSL单向认证的区别
双向认证 SSL 协议要求服务器和用户双方都有证书.单向认证 SSL 协议不需要客户拥有CA证书,具体的过程相对于上面的步骤,只需将服务器端验证客户证书的过程去掉,以及在协商对称密码方案,对称通话密钥 ...
- HTTPS|SSL笔记-SSL双向认证成功握手过程(含wireshark分析)
这里只研究连接过程. 整体的流程是这样的 前三个那个SYN.SYN ACK.ACK是TCP三次握手,就不说了. 1. 握手成功后,客户端发送自己支持的加密套,和随机数给服务端,也就是Client He ...
- java使用bks双向认证_客户端与服务器SSL双向认证(客户端:Android
客户端与服务器SSL双向认证(客户端Android-服务端vc)-含源码(一)服务端已经生成了client.p12.server.p12.ca.p12:主要实现客户端过程(二)目录结构(三)客户端注 ...
- SSL双向认证和单向认证原理
一.公钥私钥 1,公钥和私钥成对出现 2,公开的密钥叫公钥,只有自己知道的叫私钥 3,用公钥加密的数据只有对应的私钥可以解密 4,用私钥加密的数据只有对应的公钥可以解密 5,如果可以用公钥解密,则必然 ...
- SSL双向认证和SSL单向认证的流程和区别
refs: SSL双向认证和SSL单向认证的区别 https://www.jianshu.com/p/fb5fe0165ef2 图解 https 单向认证和双向认证! https://cloud.te ...
最新文章
- AI一分钟 | 英伟达发布最强核弹—无人车AI芯片DRIVE Xavier;百度硅谷首次开放无人车试乘:上车前要先签免责书
- 正确使用stl vecotr erase函数
- Involution代码
- BZOJ2648 SJY摆棋子(KD-Tree)
- 学习笔记(34):Python网络编程并发编程-异步调用与回调机制
- 不好意思,这么久没有更新《从零开始掌握ASP.NET Core 》
- NET(C#):await返回Task的async方法
- java数据结构期末复习_java数据结构复习02
- 20145335郝昊《网络对抗》逆向及Bof基础实践
- word2vec理论与实践
- 来自Airbnb、Netflix等公司的代码评审最佳实践
- 【车牌识别】基于matlab投影模板匹配车牌识别【含Matlab源码 1359期】
- TSP-遗传算法求解
- 100多套毕业论文答辩PPT模板百度网盘链接
- 【JVM · 调优】监控及诊断工具
- WDM驱动程序的基本结构和实例
- 信息学竞赛 c语言 pascal,pascal信息学竞赛教程
- 根据域名展示对应备案号内容的共用站点默认页面index.html
- hikari配置断开重连_Spring boot 数据库连接断线重连问题
- David Cutler NT之父
热门文章
- php7垃圾回收机制l_php5和php7垃圾回收上的区别是什么?
- linux msgctl函数,msgctl()函数
- 小郡肝火锅点餐系统——项目文档
- nvm-windows 安装后,node 命令报错
- Java从入门到精通——数据库篇Mongo DB 导出,导入,备份
- Oracle 查看 表 存储过程 触发器 函数 等对象定义语句的方法
- 摘:多线程和异步的区别
- tar (child): lbzip2: Cannot exec: No such file or directory 解决方法
- Django中datetime类型的相关操作(记录一下)
- Python学习笔记之列表(四)