1

我对 NGINX 有疑问。另外,我会为您提供一个配置文件和架构模式的图片(https://ibb.co/niZCRx)。

我想通过 nginx 访问 Keycloak 并登录。我将它用作身份管理,在其中我使用用户名和密码登录,并在其中检查证书的证书,即 2FA。我的问题是,当我通过 NGINX 访问浏览器时,我没有弹出提交我的用户证书,然后进入第二步输入用户名和密码,但之后,Keycloak 告诉我我缺少证书.

我尝试并处理的事情是,如果我将这些内容添加到配置文件中,proxy_ssl_certificate 和 proxy_ssl_certificate_key 将传递它,但仅限于一个用户。例如,proxy_ssl_certificate 和 proxy_ssl_certificate_key 是来自用户 joncheski 的证书和密钥,并使用用户 joncheski 登录 Keycloak 将成功通过。但是如果我想用另一个用户登录,它就不会通过,因为证书和用户名不相等。我需要你的帮助。如何进行设置以供更多用户使用。

nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024; 
}


http {


log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

server {

listen       443 ssl;
server_name  #SET NAME OF SERVER#;

#HTTPS-and-mTLS
proxy_ssl_verify        on;
proxy_ssl_verify_depth  2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_certificate #PATH OF PUBLIC CERTIFICATE FROM SDP GATEWAY#;
ssl_certificate_key #PATH OF PRIVATE KEY FROM SDP GATEWAY#;
ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_client_certificate #PATH OF PUBLIC CA CERTIFICATE#;
ssl_verify_client off;
ssl_session_tickets on;
ssl_session_cache   shared:SSL:40m;
ssl_session_timeout 4h;


location '/auth' {
        proxy_pass #SET HOST TO IDENTITY MANAGEMENT#;
        proxy_set_header X-Real-IP $remote_addr;              proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_http_version 1.1;

}

    location '/' {
        proxy_pass #SET HOST TO REDIRECT GUI REQUEST#;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

}

} }

最好的问候,戈西·琼切斯基

4

0 回答 0