Nginx configuration SSL two-way authentication (background Logon Restrictions)

Nginx configuration SSL two-way authentication (background Logon Restrictions)

Requirement: Management Background logon restrictions. Only on-the-job logon is allowed, and resigned users cannot log on.

Solution: Configure SSL two-way authentication for Nginx

Environment: Ubuntu 14.04

Openssl location:/etc/ssl/openssl. conf

Nginx version: 1.8.0

Nginx ssl Directory:/etc/nginx/admin

-------------------------------------------

1. Use openssl to implement the certificate Center

(1) edit the certificate center configuration file (/etc/ssl/openssl. conf)

Dir =/etc/ssl

(2) Create the newcerts directory

Mkdir-p/etc/ssl/newcerts

(3) create a certificate Private Key

Cd/etc/ssl

# Write the initial certificate number, which is 4 HEX characters

Echo 12A8> serial

# Generate a certificate database

Touch index.txt

# Generate a crlnumber to log out of the user ##

Echo 12A8> crlnumber

Cd/etc/ssl/private

Openssl genrsa-out cakey. pem 2048

(4) generate self-signed documents

Cd/etc/ssl/

Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3655

2. Create a server certificate

Mkdir-p/etc/nginx/admin

Cd/etc/nginx/admin

Openssl genrsa-out nginx. key 1024

Openssl req-new-key nginx. key-out nginx. csr

Openssl ca-in nginx. csr-out nginx. crt-days 3650

Openssl ca-gencrl-crldays 7-out ca. crl # generate the crl file for Certificate Revocation

3. Create a client browser certificate (for example, create a user: Li Lei)

Mkdir-p/etc/nginx/admin/user/lilei # create the Li Lei certificate storage directory

Cd/etc/nginx/admin/user/lilei

Openssl genrsa-out lilei. key 1024.

Openssl req-new-key lilei. key-out lilei. csr

Openssl ca-in lilei. csr-out lilei. crt-days 3650

# Convert a certificate in text format to a certificate that can be imported into a browser

Openssl pkcs12-export-clcerts-in lilei. crt-inkey lilei. key-out lilei. p12

4. Configure Nginx server Verification

Ssl on;

Ssl_certificate/etc/nginx/admin/nginx. crt;

Ssl_certificate_key/etc/nginx/admin/nginx. key;

Ssl_client_certificate/etc/ssl/cacert. pem;

Ssl_session_timeout 5 m;

Ssl_verify_client on; # account opening client certificate verification

Ssl_protocols SSLv2 SSLv3 TLSv1;

Ssl_ciphers ALL :! ADH :! EXPORT56: RC4 + RSA: + HIGH: + MEDIUM: + LOW: + SSLv2: + EXP;

Ssl_prefer_server_ciphers on;

Ssl_crl/etc/nginx/admin/ca. crl; # enable Certificate Revocation check

5. revoke the user certificate

Cd/etc/ssl/

Grep "lilei" index.txt is similar to the following

V 250817084430Z 12AC unknown/C = CN/ST = fujiian/O = xxx/OU = xxxx/CN = xxxxx/emailAddress = xxxxx

The available value is 12AC.

Cd/etc/ssl/newcerts

Openssl ca-revoke 12AC. pem # complete logout

Then, you can see V becomes R.

Note that this file must be updated. Otherwise, the certificate can still pass verification after it is revoked. In addition, we set the crl file expiration time to 7 days. If the crl file is not updated after 7 days, the nginx server will reject all certificate matching. Therefore, we should also enable crontab to regularly update crl files.

The scheduled task script is as follows:

#! /Bin/sh

NGINX_SSL_PATH =/etc/nginx/admin

Cd $ NGINX_SSL_PATH

Openssl ca-gencrl-crldays 7-out ca. crl

DATE_NOW1 = $ (/bin/date + % Y-% m-% d \ % H: % M: % S)

Echo "$ DATE_NOW1 has success updata">/home/cron/updata_cakey.log

/Etc/init. d/nginx reload

For more Nginx tutorials, see the following:

Deployment of Nginx + MySQL + PHP in CentOS 6.2

Build a WEB server using Nginx

Build a Web server based on Linux6.3 + Nginx1.2 + PHP5 + MySQL5.5

Performance Tuning for Nginx in CentOS 6.3

Configure Nginx to load the ngx_pagespeed module in CentOS 6.3

Install and configure Nginx + Pcre + php-fpm in CentOS 6.4

Nginx installation and configuration instructions

Nginx log filtering using ngx_log_if does not record specific logs

Nginx details: click here
Nginx: click here

This article permanently updates the link address: