How to configure two-way certificate verification on nginx proxy server

How to configure two-way certificate verification on nginx proxy server

Generate a certificate chain

Use the script to generate a root certificate, an intermediate certificate, and three client certificates.

The domain name of the intermediate certificate is localhost.

#!/bin/bash -x
set -e
for C in `echo root-ca intermediate`; do
 mkdir $C
 cd $C
 mkdir certs crl newcerts private
 cd ..
 echo 1000 > $C/serial
 touch $C/index.txt $C/index.txt.attr
 echo '
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = '$C' # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/.rnd # private random number file
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_days = 365
default_md = sha256
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:TRUE
' > $C/openssl.conf
done
openssl genrsa -out root-ca/private/ca.key 2048
openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'
openssl genrsa -out intermediate/private/intermediate.key 2048
openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'
openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt
mkdir out
for I in `seq 1 3` ; do
 openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048
 openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request
done

server

nginx configuration

worker_processes 1;
events {
  worker_connections 1024;
}
stream{
  upstream backend{
    server 127.0.0.1:8080;
  }
  server {
    listen 8888 ssl;
    proxy_pass backend;
    ssl_certificate intermediate.crt;
    ssl_certificate_key intermediate.key;
    ssl_verify_depth 2;
    ssl_client_certificate root.crt;
    ssl_verify_client optional_no_ca;
  }
}

Client

curl \
 -I \
 -vv \
 -x https://localhost:8888/ \
 --proxy-cert client1.crt \
 --proxy-key client1.key \
 --proxy-cacert ca.crt \
 https://www.baidu.com/

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM. If you want to learn more about this, please check out the following links

You may also be interested in:
  • How to configure nginx+php+mysql in docker
  • Solution to invalid Nginx cross-domain setting Access-Control-Allow-Origin
  • Example method of deploying react project on nginx
  • Use nginx.vim tool for syntax highlighting and formatting configuration nginx.conf file
  • Detailed explanation of the pitfalls of add_header in nginx configuration tutorial
  • Solution to the problem of information loss with "_" in header when using Nginx proxy
  • Shell script nginx automation script
  • How to create an Nginx server with Docker
  • A brief discussion on why daemon off is used when running nginx in docker
  • nginx proxy_cache batch cache clearing script introduction

<<:  WeChat applet implements a simple calculator

>>:  Detailed explanation of the role of key in React

Recommend

Summary of the switching problem and solution of installing multiple JDK versions in win10 64-bit system

Since myeclipse2017 and idea2017 are installed on...

How to configure SSL for koa2 service

I. Introduction 1: SSL Certificate My domain name...

How to implement Linux disk mounting, partitioning, and capacity expansion operations

Basic Concepts Before operation, you must first u...

Detailed explanation of Vue development website SEO optimization method

Because the data binding mechanism of Vue and oth...

Detailed explanation of concat related functions in MySQL

1. concat() function Function: Concatenate multip...

Getting Started Tutorial for Beginners ⑨: How to Build a Portal Website

Moreover, an article website built with a blog pro...

Solution for FileZilla 425 Unable to connect to FTP (Alibaba Cloud Server)

Alibaba Cloud Server cannot connect to FTP FileZi...

Specific usage of fullpage.js full screen scrolling

1.fullpage.js Download address https://github.com...

Nodejs converts JSON string into JSON object error solution

How to convert a JSON string into a JSON object? ...

React Fragment Introduction and Detailed Usage

Table of contents Preface Motivation for Fragment...

JavaScript basics for loop and array

Table of contents Loop - for Basic use of for loo...

Classification of web page color properties

Classification of color properties Any color can ...

Teach you how to solve the error when storing Chinese characters in MySQL database

Table of contents 1. Problems encountered 2. Anal...

Talk about nextTick in Vue

When the data changes, the DOM view is not update...

Vue routing returns the operation method of restoring page status

Route parameters, route navigation guards: retain...