0

我已经为 ssl-client-authentication 配置了 nginx。它适用于 GET 和 POST(没有有效负载)。但是当我们使用带有正文的 POST 时,客户端没有通过证书。

  1. 要么 nginx 不要求证书
  2. 或者客户端(javascript)本身忽略了我不确定的证书

Nginx 配置

upstream abc-abc.com {
    ip_hash;
    server 172.16.x.x:8987;
}


server {
        listen 443 ssl;
        client_max_body_size 100M;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate ssl/bundle.crt;
        ssl_certificate_key ssl/abc.key;
        ssl_verify_client optional;
        ssl_client_certificate /certs/client_ca.cert;


        # Use Server preference
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        server_name "~^abc-(?:[A-Za-z0-9]{0,21}[A-Za-z0-9])?-?abc.com";
        proxy_buffering off;
        error_log /proc/self/fd/2;
        access_log /proc/self/fd/1;
        server_tokens off;
        location = /robots.txt {
                return 200 "User-agent: *\nDisallow: /\n";
        }
        location / {
                proxy_pass https://abc-abc.com;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                # HTTP 1.1 support
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_read_timeout  36000s;

                proxy_set_header X-SSL-Serial $ssl_client_serial;
                proxy_set_header X-SSL-Verify $ssl_client_verify;
                proxy_set_header X-SSL-SDN $ssl_client_s_dn;
                proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
                proxy_set_header X-SSL-Fingerprint $ssl_client_fingerprint;
                proxy_set_header X-SSL-Start-Date $ssl_client_v_start;
                proxy_set_header X-SSL-End-Date $ssl_client_v_end;

        }
}

请帮忙,谢谢。

4

0 回答 0