nginx反向代理,具有两种SSL到Weblogic的方式 [英] nginx reverse proxy with two way SSL to weblogic
问题描述
我正在尝试使用nginx作为Web逻辑的反向代理,具有两种SSL/相互SSL.
I am trying to use nginx as a reverse proxy to web logic with two way SSL/mutual SSL.
客户端< =双向SSL => NGINX< =双向SSL => WebLogic服务器
Client <= Two way SSL => NGINX <= Two Way SSL => WebLogic server
客户端到NGINX的两种方式SSL可以正常工作,但是在上游连接到Web逻辑时出现错误.
Client to NGINX two way SSL works fine but getting below errors on upstream connecting to web logic.
nginx调试日志:
nginx debug log:
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 2
2014/08/16 22:40:53 [debug] 33741#0: timer delta: 5
2014/08/16 22:40:53 [debug] 33741#0: posted events 0000000000000000
2014/08/16 22:40:53 [debug] 33741#0: worker cycle
2014/08/16 22:40:53 [debug] 33741#0: kevent timer: 59840, changes: 0
2014/08/16 22:40:53 [debug] 33741#0: kevent events: 2
2014/08/16 22:40:53 [debug] 33741#0: kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150
2014/08/16 22:40:53 [debug] 33741#0: *9 kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 1
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: 0
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 1
SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream
client: localhost, server: localhost, request: "GET /customers/~/xxxx/~/xxx/health HTTP/1.1", upstream: "https://xx.xx.xx.xxx:11211/customer-upstream/~/xxx/~/xxx/health/", host: "localhost:12121"
这是我的上游nginx配置:
Here is my nginx configuration for upstream:
proxy_cache_path /opt/openresty/nginx/cache levels=1:2 keys_zone=data-cache:8m max_size=1000m inactive=600m;
proxy_temp_path /opt/openresty/nginx/cache/tmp;
upstream rs_backend {
server xx.xx.xx.xxx:11211;
}
server {
server_name localhost;
listen 12121 ssl;
ssl on;
ssl_verify_client on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#ssl_protocols TLSv1;
#ssl_ciphers SSL_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
#ssl_ciphers HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
ssl_prefer_server_ciphers on;
proxy_ssl_session_reuse off;
large_client_header_buffers 4 32K;
ssl_certificate /etc/ssl/api-cert.pem;
ssl_certificate_key /etc/ssl/api-cert.key;
ssl_client_certificate /etc/ssl/api-cert.pem;
location /customers/
{
rewrite ^/customers/(.*) /customer-upstream/$1/ break;
proxy_redirect off;
proxy_ssl_verify on;
proxy_ssl_verify_depth 4;
proxy_ssl_trusted_certificate /etc/ssl/api-cert-nopass.pem;
proxy_pass_header Server;
proxy_http_version 1.1;
proxy_set_header Connection Keep-Alive;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host localhost:11211;
proxy_set_header Accept 'application/json;v=3';
proxy_pass https://xx.xx.xx.xxx:11211/;
#proxy_pass https://rs_backend;
}
我尝试了各种选项,包括在配置下方注释掉.
I tried various options including commenting out below configs.
proxy_ssl_verify on;
proxy_ssl_verify_depth 4;
如果我尝试使用openssl c_client命令行,则可以连接并获得HTTP GET请求的2xx响应.
If I try using openssl c_client command line, I am able to connect and get 2xx response for HTTP GET request.
openssl c_client -connect xx.xx.xx.xxx:11211 -cert api-qaid-nopass.pem
任何帮助将不胜感激.
推荐答案
我添加了对使用证书和密钥的双向/双向身份验证的支持.
I have added support for two way/mutual authentication using certificate and key.
请参阅拉取请求:
https://github.com/nginx/nginx/pull/7
http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005817.html
已针对配置为双向SSL的WebLogic 11g服务器进行了验证.
It is been validated against WebLogic 11g server which is configured for two way SSL.
这篇关于nginx反向代理,具有两种SSL到Weblogic的方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!