How to configure two-way certificate verification on nginx proxy server

Generate a certificate chain

Use the script to generate a root certificate, an intermediate certificate, and three client certificates.

The domain name of the intermediate certificate is localhost.

#!/bin/bash -x
set -e
for C in `echo root-ca intermediate`; do
 mkdir $C
 cd $C
 mkdir certs crl newcerts private
 cd ..
 echo 1000 > $C/serial
 touch $C/index.txt $C/index.txt.attr
 echo '
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = '$C' # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/.rnd # private random number file
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_days = 365
default_md = sha256
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:TRUE
' > $C/openssl.conf
done
openssl genrsa -out root-ca/private/ca.key 2048
openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'
openssl genrsa -out intermediate/private/intermediate.key 2048
openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'
openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt
mkdir out
for I in `seq 1 3` ; do
 openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048
 openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request
done

server

nginx configuration

worker_processes 1;
events {
  worker_connections 1024;
}
stream{
  upstream backend{
    server 127.0.0.1:8080;
  }
  server {
    listen 8888 ssl;
    proxy_pass backend;
    ssl_certificate intermediate.crt;
    ssl_certificate_key intermediate.key;
    ssl_verify_depth 2;
    ssl_client_certificate root.crt;
    ssl_verify_client optional_no_ca;
  }
}

Client

curl \
 -I \
 -vv \
 -x https://localhost:8888/ \
 --proxy-cert client1.crt \
 --proxy-key client1.key \
 --proxy-cacert ca.crt \
 https://www.baidu.com/

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM. If you want to learn more about this, please check out the following links

You may also be interested in:

How to configure nginx+php+mysql in docker
Solution to invalid Nginx cross-domain setting Access-Control-Allow-Origin
Example method of deploying react project on nginx
Use nginx.vim tool for syntax highlighting and formatting configuration nginx.conf file
Detailed explanation of the pitfalls of add_header in nginx configuration tutorial
Solution to the problem of information loss with "_" in header when using Nginx proxy
Shell script nginx automation script
How to create an Nginx server with Docker
A brief discussion on why daemon off is used when running nginx in docker
nginx proxy_cache batch cache clearing script introduction

<<: WeChat applet implements a simple calculator

>>: Detailed explanation of the role of key in React