AWS API网关客户端身份验证和NGINX [英] AWS API-Gateway client authentication and NGINX

问题描述

目前我尝试实现AWS API网关客户端身份验证与NGINX后端服务器。我想prevent进入我的API，除了比AWS API网关。我创建的AWS API网关控制台（PEM连接codeD）客户端证书，并建立了我的虚拟主机的配置如下。我使用的已经是一个CA签署的通配符证书来访问子域。

服务器{

 听443;
SERVER_NAME api.example.com;

如果（$ bad_client）{返回403; }

根/usr/share/nginx/api.example.com/public;
    指数的index.php;

SSL上;
ssl_stapling上;
ssl_trusted_certificate AWS-cert.pem;
ssl_verify_client上;


ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout10米;

ssl_protocols的SSLv3的TLSv1 TLSv1.1 TLSv1.2;
的ssl_ciphersHIGH：A零位：MD5或HIGH：A零位：MD5：！！！！！3DES;
ssl_ prefer_server_ciphers上;

error_page 404 /404.html;
位置/404.html {
    内部;
}


位置 / {


    try_files $ uri.html $ URI $ URI / = 404;



}

位置〜\的.php $ {
            fastcgi_split_path_info ^（+ \ PHP的。）（/.+）$;
            fastcgi_pass UNIX：/var/run/php5-fpm.sock;
            fastcgi_index index.php文件;
            包括fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $ DOCUMENT_ROOT $ fastcgi_script_name;
            fastcgi_param PHP_VALUE的error_log = /无功/日志/ PHP5-fpm.log;
    }


位置〜/\.ht {
     拒绝所有;
 }
}
 

我收到以下错误消息，并且整个nginx的服务不可用了。亚马逊的文档是不是非常有帮助。我在做什么错了？

<一个href="https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html" rel="nofollow">https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

  [EMERG] 19636＃0：无ssl_client_certificate的ssl_client_verify
 

解决方案

为了Nginx的验证客户端，你需要告诉它的证书客户端将被使用。在我的配置我有：

 通过证书＃客户端验证
ssl_client_certificate /etc/nginx/ssl/cert.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
ssl_verify_client上;
 

我不是在 ssl_client_certificate 和 ss_trusted_certificate 指令之间的差异完全清楚;也许别人可以解释这一点。

文档这里。

Currently i try to implement the AWS API Gateway Client Authentication with NGINX Backend Servers. I want to prevent access to my api except than AWS API-Gateway. I have created a client certificate on the AWS API Gateway Console(PEM encoded) and set up my virtual host config as follows. I'm using already a CA signed wildcard certificate to access the subdomain.

server {

listen 443;
server_name api.example.com;

if ($bad_client) { return 403; }

root /usr/share/nginx/api.example.com/public;
    index index.php;

ssl on;
ssl_stapling on;
ssl_trusted_certificate aws-cert.pem;
ssl_verify_client on;


ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout 10m;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;

error_page 404 /404.html;
location  /404.html {
    internal;
}


location / {


    try_files $uri.html $uri $uri/ =404;



}

location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PHP_VALUE "error_log=/var/log/php5-fpm.log";
    }


location ~ /\.ht {
     deny  all;
 }
}

I get the following error message and the whole nginx service is not available any more. The docs of Amazon are not very helpful. What i'm doing wrong?

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

 [emerg] 19636#0: no ssl_client_certificate for ssl_client_verify

解决方案

In order for Nginx to verify the client, you need to tell it which certificate the client will be using. In my config I have:

# Client auth via certs
ssl_client_certificate /etc/nginx/ssl/cert.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
ssl_verify_client on;

I'm not entirely clear on the difference between the ssl_client_certificate and ss_trusted_certificate directives; perhaps somebody else can explain that.

Docs here.

这篇关于AWS API网关客户端身份验证和NGINX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！