How to configure two-way certificate verification on nginx proxy server

Generate a certificate chain

Use the script to generate a root certificate, an intermediate certificate, and three client certificates.

The script is derived from (modified)
https://stackoverflow.com/questions/26759550/how-to-create-own-self-signed-root-certificate-and-intermediate-ca-to-be-importe

The domain name of the intermediate certificate is localhost.

#!/bin/bash -x

set -e

for C in `echo root-ca intermediate`; do

 mkdir $C
 cd $C
 mkdir certs crl newcerts private
 cd ..

 echo 1000 > $C/serial
 touch $C/index.txt $C/index.txt.attr

 echo '
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = '$C' # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/.rnd # private random number file
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_days = 365
default_md = sha256

[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]
basicConstraints = CA:TRUE
' > $C/openssl.conf
done

openssl genrsa -out root-ca/private/ca.key 2048
openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'

openssl genrsa -out intermediate/private/intermediate.key 2048
openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'
openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt

mkdir out

for I in `seq 1 3` ; do
 openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048
 openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request
done

server

nginx configuration

worker_processes 1;

events {
  worker_connections 1024;
}

stream{
  upstream backend{
    server 127.0.0.1:8080;
  }

  server {
    listen 8888 ssl;
    proxy_pass backend;
    ssl_certificate intermediate.crt;
    ssl_certificate_key intermediate.key;
    ssl_verify_depth 2;
    ssl_client_certificate root.crt;
    ssl_verify_client optional_no_ca;
  }
}

Client

curl \
 -I \
 -vv \
 -x https://localhost:8888/ \
 --proxy-cert client1.crt \
 --proxy-key client1.key \
 --proxy-cacert ca.crt \
 https://www.baidu.com/

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.

You may also be interested in:

How to configure Nginx virtual host in CentOS 7.3
Detailed deployment of Django uwsgi Nginx in production environment
Detailed explanation of the communication mechanism between PHP-FPM and Nginx
Detailed explanation of using Nginx reverse proxy to solve cross-domain problems
Shell script nginx automation script
How to create an Nginx server with Docker
A brief discussion on why daemon off is used when running nginx in docker
How to run nginx in Docker and mount the local directory into the image
How to configure https for nginx in docker
How to configure two-way certificate verification on nginx proxy server

<<: jQuery implements the practice of changing the position and size of div by dragging the mouse

>>: Two ways to reset the root password of MySQL database using lnmp