Здравствуйте, Nginx-ru.
берем мануал
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
и строгаем песочницу
[root@localhost ~]# cat /etc/nginx/conf.d/test.conf
server {
listen *:443 ssl;
listen *:1443 ssl;
server_name test;
access_log /var/log/nginx/test_access.log;
error_log /var/log/nginx/test_error.log;
ssl_certificate /etc/nginx/ssl/test.crt;
ssl_certificate_key /etc/nginx/ssl/test.key;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client on;
root /var/www;
location / {
}
}
[root@localhost ~]# cat /etc/nginx/conf.d/proxy.conf
server {
listen *:443 ssl;
server_name proxy;
access_log /var/log/nginx/proxy_access.log;
error_log /var/log/nginx/proxy_error.log ;
ssl_certificate /etc/nginx/ssl/proxy.crt;
ssl_certificate_key /etc/nginx/ssl/proxy.key;
root /var/www1;
location / {
}
location /test {
rewrite ^/test(.*)$ $1 break;
proxy_pass https://test;
proxy_set_header Host test;
proxy_ssl_certificate/etc/nginx/ssl/client.crt;
proxy_ssl_certificate_key/etc/nginx/ssl/client.key;
proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
proxy_ssl_verifyoff;
}
location /test2 {
rewrite ^/test2(.*)$ $1 break;
proxy_pass https://test:1443;
proxy_set_header Host test;
proxy_ssl_certificate/etc/nginx/ssl/client.crt;
proxy_ssl_certificate_key/etc/nginx/ssl/client.key;
proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
proxy_ssl_verifyon;
}
}
тестируем
[root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key
/etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve
test:443:127.0.0.1 https://test
Mon Oct 4 10:37:00 UTC 2021
работает
[root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --key
/etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.crt --resolve
test:1443:127.0.0.1 https://test:1443
Mon Oct 4 10:37:00 UTC 2021
работает
[root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve
proxy:443:127.0.0.1 https://proxy/test2/
Mon Oct 4 10:37:00 UTC 2021
работает
[root@localhost conf.d]# curl --cacer /etc/nginx/ssl/ca.crt --resolve
proxy:443:127.0.0.1 https://proxy/test/
400 Bad Request
No required SSL certificate was sent
nginx/1.20.1
и еще, если сделать
proxy_ssl_verify on;
[root@localhost ~]# curl --cacer /etc/nginx/ssl/ca.crt --resolve
proxy:443:127.0.0.1 https://proxy/test/
502 Bad Gateway
502 Bad Gateway
nginx/1.20.1
[root@localhost ~]# curl --cacer /etc/nginx/ssl/ca.crt --resolve
proxy:443:127.0.0.1 https://proxy/test2/
Mon Oct 4 10:37:00 UTC 2021
[root@localhost ~]# tail -1 /var/log/nginx/proxy_error.log
2021/10/04 17:39:50 [error] 9230#9230: *80 upstream SSL certificate does not
match "test" while SSL handshaking to upstream, client: 127.0.0.1, server:
proxy, request: "GET /test/ HTTP/1.1", upstream: "https://127.0.0.1:443/";,
host: "proxy"
[root@localhost ~]# tail -2 /var/log/nginx/proxy_access.log
127.0.0.1 - - [04/Oct/2021:17:39:50 +] "GET /test/ HTTP/1.1" 502 157 "-"
"curl/7.29.0"
127.0.0.1 - - [04/Oct/2021:17:39:54 +] "GET /test2/ HTTP/1.1" 200 29 "-"
"curl/7.29.0"
что я делаю не так?
--
С уважением,
Alexander mailto:t...@irk.ru
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru