我已经为 ssl-client-authentication 配置了 nginx。它适用于 GET 和 POST(没有有效负载)。但是当我们使用带有正文的 POST 时,客户端没有通过证书。
- 要么 nginx 不要求证书
- 或者客户端(javascript)本身忽略了我不确定的证书
Nginx 配置
upstream abc-abc.com {
ip_hash;
server 172.16.x.x:8987;
}
server {
listen 443 ssl;
client_max_body_size 100M;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate ssl/bundle.crt;
ssl_certificate_key ssl/abc.key;
ssl_verify_client optional;
ssl_client_certificate /certs/client_ca.cert;
# Use Server preference
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name "~^abc-(?:[A-Za-z0-9]{0,21}[A-Za-z0-9])?-?abc.com";
proxy_buffering off;
error_log /proc/self/fd/2;
access_log /proc/self/fd/1;
server_tokens off;
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
location / {
proxy_pass https://abc-abc.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 36000s;
proxy_set_header X-SSL-Serial $ssl_client_serial;
proxy_set_header X-SSL-Verify $ssl_client_verify;
proxy_set_header X-SSL-SDN $ssl_client_s_dn;
proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
proxy_set_header X-SSL-Fingerprint $ssl_client_fingerprint;
proxy_set_header X-SSL-Start-Date $ssl_client_v_start;
proxy_set_header X-SSL-End-Date $ssl_client_v_end;
}
}
请帮忙,谢谢。