AWS API网关客户端身份验证和NGINX [英] AWS API-Gateway client authentication and NGINX
问题描述
目前我尝试实现AWS API网关客户端身份验证与NGINX后端服务器。我想prevent进入我的API,除了比AWS API网关。我创建的AWS API网关控制台(PEM连接codeD)客户端证书,并建立了我的虚拟主机的配置如下。我使用的已经是一个CA签署的通配符证书来访问子域。
服务器{
听443;
SERVER_NAME api.example.com;
如果($ bad_client){返回403; }
根/usr/share/nginx/api.example.com/public;
指数的index.php;
SSL上;
ssl_stapling上;
ssl_trusted_certificate AWS-cert.pem;
ssl_verify_client上;
ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout10米;
ssl_protocols的SSLv3的TLSv1 TLSv1.1 TLSv1.2;
的ssl_ciphersHIGH:A零位:MD5或HIGH:A零位:MD5:!!!!!3DES;
ssl_ prefer_server_ciphers上;
error_page 404 /404.html;
位置/404.html {
内部;
}
位置 / {
try_files $ uri.html $ URI $ URI / = 404;
}
位置〜\的.php $ {
fastcgi_split_path_info ^(+ \ PHP的。)(/.+)$;
fastcgi_pass UNIX:/var/run/php5-fpm.sock;
fastcgi_index index.php文件;
包括fastcgi_params;
fastcgi_param SCRIPT_FILENAME $ DOCUMENT_ROOT $ fastcgi_script_name;
fastcgi_param PHP_VALUE的error_log = /无功/日志/ PHP5-fpm.log;
}
位置〜/\.ht {
拒绝所有;
}
}
我收到以下错误消息,并且整个nginx的服务不可用了。亚马逊的文档是不是非常有帮助。我在做什么错了?
<一个href="https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html" rel="nofollow">https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
[EMERG] 19636#0:无ssl_client_certificate的ssl_client_verify
为了Nginx的验证客户端,你需要告诉它的证书客户端将被使用。在我的配置我有:
通过证书#客户端验证
ssl_client_certificate /etc/nginx/ssl/cert.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
ssl_verify_client上;
我不是在 ssl_client_certificate
和 ss_trusted_certificate
指令之间的差异完全清楚;也许别人可以解释这一点。
文档这里。
Currently i try to implement the AWS API Gateway Client Authentication with NGINX Backend Servers. I want to prevent access to my api except than AWS API-Gateway. I have created a client certificate on the AWS API Gateway Console(PEM encoded) and set up my virtual host config as follows. I'm using already a CA signed wildcard certificate to access the subdomain.
server {
listen 443;
server_name api.example.com;
if ($bad_client) { return 403; }
root /usr/share/nginx/api.example.com/public;
index index.php;
ssl on;
ssl_stapling on;
ssl_trusted_certificate aws-cert.pem;
ssl_verify_client on;
ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
error_page 404 /404.html;
location /404.html {
internal;
}
location / {
try_files $uri.html $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "error_log=/var/log/php5-fpm.log";
}
location ~ /\.ht {
deny all;
}
}
I get the following error message and the whole nginx service is not available any more. The docs of Amazon are not very helpful. What i'm doing wrong?
[emerg] 19636#0: no ssl_client_certificate for ssl_client_verify
In order for Nginx to verify the client, you need to tell it which certificate the client will be using. In my config I have:
# Client auth via certs
ssl_client_certificate /etc/nginx/ssl/cert.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
ssl_verify_client on;
I'm not entirely clear on the difference between the ssl_client_certificate
and ss_trusted_certificate
directives; perhaps somebody else can explain that.
这篇关于AWS API网关客户端身份验证和NGINX的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!