如何在Nginx中设置双向SSL自定义位置? [英] How to set up two-way SSL in Nginx for custom location?
问题描述
我有一个rails 4项目与一些API。
I have a rails 4 project with some API.
这个项目运行 nginx v.1.6.3
This project runs with nginx v.1.6.3
and https
on production.
Nginx配置:
upstream app {
# Path to Unicorn SOCK file, as defined previously
server unix:/tmp/unicorn.my_domain.sock fail_timeout=0;
}
server {
listen 80;
server_name my_domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/private.rsa;
server_name my_domain.com;
root /var/www/current;
location /assets {
root /var/www/current/public;
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @app;
location @app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
问题
API请求( POST / api / some_path / create
等)应使用双向SSL保护。
API requests (POST /api/some_path/create
etc.) should be protected with two-way SSL.
只有一个服务会使用此API(只有一个客户有一个证书)
Only one service will use this API (only 1 client with one certificate)
问题
- nginx能否处理
双向SSL
? -
双向SSL
应该在nginx
层上实现,而不是在Web应用程序逻辑中。 - 如何设置
nginx
来捕获向/ api /发送请求的客户端。 ..
url并使用双向SSL
?验证他们
- Does nginx able to handle
two-way SSL
? two-way SSL
should be implemented onnginx
layer, not in web-application logic. am I right?- How to set up
nginx
to catch clients which sends requests to/api/...
url and authenticate them withtwo-way SSL
?
我只需要一个基本的例子,了解它应该如何工作。
I just need a basic example, to understand how it should work. Many thanks!
推荐答案
- 是(参见 ssl_client_certificate 和 ssl_verify_client 指令)。
- 取决于您的应用程序,但在这种情况下,您只需验证证书是否已签名
-
您需要创建一个CA和由所述CA签署的客户端证书,并使用该CA验证服务器端的客户端证书。
- Yes (see the ssl_client_certificate and ssl_verify_client directives).
- Depends on your application, but in this case where you only need to verify that the certificate was signed by a certain CA, that's correct.
You would need to create a CA and a client certificate signed by said CA and use that CA for verifying the client certificate on the server side.
现在,您需要考虑的是如何解决 ssl_client_certificate 和 ssl_verify_client 指令不支持在位置块中使用(例如它们只能在http或服务器块中使用)。
Now, what you need to consider is how you will solve the problem that the ssl_client_certificate and ssl_verify_client directives doesn't support being used in a location block (e.g. they can only be used in a http or server block).
我建议为API(例如api.my_domain.com)创建一个自己的子域,并从该地址的服务中访问API。
I would suggest creating an own subdomain for the API (e.g. api.my_domain.com) and access the API from the service with that address.
示例配置:
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/private.rsa;
ssl_client_certificate /etc/nginx/ssl/client_ca.pem;
ssl_verify_client on;
server_name api.my_domain.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app/api;
}
}
这篇关于如何在Nginx中设置双向SSL自定义位置?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!