Здравствуйте, Nginx-ru. берем мануал https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ и строгаем песочницу
[root@localhost ~]# cat /etc/nginx/conf.d/test.conf server { listen *:443 ssl; listen *:1443 ssl; server_name test; access_log /var/log/nginx/test_access.log; error_log /var/log/nginx/test_error.log; ssl_certificate /etc/nginx/ssl/test.crt; ssl_certificate_key /etc/nginx/ssl/test.key; ssl_client_certificate /etc/nginx/ssl/ca.crt; ssl_verify_client on; root /var/www; location / { } } [root@localhost ~]# cat /etc/nginx/conf.d/proxy.conf server { listen *:443 ssl; server_name proxy; access_log /var/log/nginx/proxy_access.log; error_log /var/log/nginx/proxy_error.log ; ssl_certificate /etc/nginx/ssl/proxy.crt; ssl_certificate_key /etc/nginx/ssl/proxy.key; root /var/www1; location / { } location /test { rewrite ^/test(.*)$ $1 break; proxy_pass https://test; proxy_set_header Host test; proxy_ssl_certificate /etc/nginx/ssl/client.crt; proxy_ssl_certificate_key /etc/nginx/ssl/client.key; proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt; proxy_ssl_verify off; } location /test2 { rewrite ^/test2(.*)$ $1 break; proxy_pass https://test:1443; proxy_set_header Host test; proxy_ssl_certificate /etc/nginx/ssl/client.crt; proxy_ssl_certificate_key /etc/nginx/ssl/client.key; proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt; proxy_ssl_verify on; } } тестируем [root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve test:443:127.0.0.1 https://test Mon Oct 4 10:37:00 UTC 2021 работает [root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve test:1443:127.0.0.1 https://test:1443 Mon Oct 4 10:37:00 UTC 2021 работает [root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test2/ Mon Oct 4 10:37:00 UTC 2021 работает [root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test/ 400 Bad Request No required SSL certificate was sent nginx/1.20.1 и еще, если сделать proxy_ssl_verify on; [root@localhost ~]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test/ <html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.20.1</center> </body> </html> [root@localhost ~]# curl --cacer /etc/nginx/ssl/ca.crt --resolve proxy:443:127.0.0.1 https://proxy/test2/ Mon Oct 4 10:37:00 UTC 2021 [root@localhost ~]# tail -1 /var/log/nginx/proxy_error.log 2021/10/04 17:39:50 [error] 9230#9230: *80 upstream SSL certificate does not match "test" while SSL handshaking to upstream, client: 127.0.0.1, server: proxy, request: "GET /test/ HTTP/1.1", upstream: "https://127.0.0.1:443/", host: "proxy" [root@localhost ~]# tail -2 /var/log/nginx/proxy_access.log 127.0.0.1 - - [04/Oct/2021:17:39:50 +0000] "GET /test/ HTTP/1.1" 502 157 "-" "curl/7.29.0" 127.0.0.1 - - [04/Oct/2021:17:39:54 +0000] "GET /test2/ HTTP/1.1" 200 29 "-" "curl/7.29.0" что я делаю не так? -- С уважением, Alexander mailto:t...@irk.ru _______________________________________________ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru