Home > Others

Nginx, Tomcat, SSL, two-way authentication

Source: Internet
Author: User
Tags pkcs12 nginx server pfx file
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. Certificate Hierarchy

2. Server architecture


Tomcat does not require authentication client, Nginx requires authentication client

3. Tomcat configuration Attention Point

The CN of the server certificate for Tomcat must be tomcat_backend

4. Nginx Configuration Attention Point

Export PEM format Public key from PFX file using OpenSSL

1 openssl pkcs12 -clcerts -nokeys -incert.p12 -out cert.pem

To export a PEM-formatted private key from a PFX file using OpenSSL

1 openssl pkcs12 -nocerts -nodes -incert.p12 -out private.pem

Using OpenSSL to generate a CA certificate chain
1. Export the public key certificate for the root CA and the intermediate CA, such as the file name Root.pem after export CA.PEM
2. Merge Root.pem Ca.pem into one file, Ca.pem before, Root.pem in the back

12 catca.pem >> chain.pemcatroot.pem >> chain.pem


Nginx Server Segment Configuration

12345678910111213141516171819202122 server {    listen       443;    server_name  localhost;    ssl                  on;    ssl_certificate      nginx服务器证书公钥;    ssl_certificate_key  nginx服务器证书私钥;    ssl_session_timeout  5m;    ssl_protocols  SSLv2 SSLv3 TLSv1;    ssl_ciphers  HIGH:!aNULL:!MD5;    ssl_prefer_server_ciphers   on;            ssl_verify_client on; # 开启客户端验证            ssl_verify_depth 2; # 这里一定要注意,服务器证书上面有几级CA就写几            ssl_client_certificate chain.pem; # 证书链 用于验证客户端提供的证书            ssl_trusted_certificate 证书链;    location / {                    proxy_pass      https://tomcat_backend;        include        proxy.conf;    }

Nginx passes the client certificate through the HTTP header to the back-end tomcat. Configuring in the Proxy.conf file

12345678910111213141516171819 proxy_redirect off;proxy_set_header Host $host;proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcatproxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;client_max_body_size 10m;client_body_buffer_size 128k;proxy_connect_timeout 30;proxy_send_timeout   15;proxy_read_timeout   15;proxy_buffer_size   4k;proxy_buffers 4 32k;proxy_busy_buffers_size   64k;proxy_temp_file_write_size 64k;proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客户端认证,则nginx与tomcat建立连接时会把该证书发送给tomcatproxy_ssl_certificate_key localhost.key;proxy_ssl_trusted_certificate chain.pem; # 如果启用了proxy_ssl_verify,则使用该文件中的CA公钥验证后端tomcat的证书proxy_ssl_verify on; # nginx是否验证后端tomcat的证书proxy_ssl_verify_depth 2;

For information about generating CA certificates, client certificates, and server certificates, see Implementing SSL bidirectional Authentication in JEE projects



From for notes (Wiz)

Nginx, Tomcat, SSL, two-way authentication

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
aws ssl nginx nginx ssl certificate generate ssl certificate nginx tomcat install ssl certificate tomcat renew ssl certificate nginx free ssl nginx ssl passthrough

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More