Nginx-如何访问客户端证书的使用者备用名称(SAN)字段 [英] Nginx - how to access Client Certificate's Subject Alternative Name (SAN) field
问题描述
我有一个Nginx服务器,客户端使用包含特定CN和SAN的客户端证书向客户端发出请求。我希望能够提取该客户端证书的CN(通用名称)和SAN(主题备用名称)字段。
I have an Nginx server which clients make requests to with a Client certificate containing a specific CN and SAN. I want to be able to extract the CN (Common Name) and SAN (Subject Alternative Names) fields of that client cert.
粗略示例配置:
server {
listen 443 ssl;
ssl_client_certificate /etc/nginx/certs/client.crt;
ssl_verify_client on; #400 if request without valid cert
location / {
root /usr/share/nginx/html;
}
location /auth_test {
# do something with the CN and SAN.
# tried these embedded vars so far, to no avail
return 200 "
$ssl_client_s_dn
$ssl_server_name
$ssl_client_escaped_cert
$ssl_client_cert
$ssl_client_raw_cert";
}
}
使用嵌入的变量作为
Using the embedded variables exposed as part of the ngx_http_ssl_module module I can access the DN (Distinguished Name) and therefore CN etc but I don't seem to be able to get access to the SAN.
我是否缺少一些嵌入式var /其他模块/一般的Nginx foo?我可以访问原始证书,因此可以手动对其进行解码并提取出来吗?
Is there some embedded var / other module / general Nginx foo I'm missing? I can access the raw cert, so is it possible to decode that manually and extract it?
我宁愿在Nginx层上执行此操作,而不是将证书传递到应用程序层并在那里进行。
I'd really rather do this at the Nginx layer as opposed to passing the cert down to the application layer and doing it there.
非常感谢您提供的帮助。
Any help much appreciated.
推荐答案
您可以通过OpenResty + Lua-OpenSSL并解析原始证书即可获取。
You can do it through OpenResty + Lua-OpenSSL and parse the raw certificate to get it.
请参阅以下内容: https://github.com/Seb35/nginx-ssl-variables/blob/master/COMPATIBILITY.md#ssl_client_s_dn_x509
就像这样:
local varibleName = string.match(require("openssl").x509.read(ngx.var.ssl_client_raw_cert):issuer():oneline(),"/C=([^/]+)")
这篇关于Nginx-如何访问客户端证书的使用者备用名称(SAN)字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
