1. Certificate Hierarchy
2. Server architecture
Tomcat does not require authentication client, Nginx requires authentication client
3. Tomcat configuration Attention Point
The CN of the server certificate for Tomcat must be tomcat_backend
4. Nginx Configuration Attention Point
Export PEM format Public key from PFX file using OpenSSL
1 |
openssl pkcs12 -clcerts -nokeys - in cert.p12 -out cert.pem |
To export a PEM-formatted private key from a PFX file using OpenSSL
1 |
openssl pkcs12 -nocerts -nodes - in cert.p12 -out private.pem |
Using OpenSSL to generate a CA certificate chain
1. Export the public key certificate for the root CA and the intermediate CA, such as the file name Root.pem after export CA.PEM
2. Merge Root.pem Ca.pem into one file, Ca.pem before, Root.pem in the back
12 |
cat ca.pem >> chain.pem cat root.pem >> chain.pem |
Nginx Server Segment Configuration
12345678910111213141516171819202122 |
server {
listen
443
;
server_name localhost;
ssl on;
ssl_certificate nginx服务器证书公钥;
ssl_certificate_key nginx服务器证书私钥;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_verify_client on; # 开启客户端验证
ssl_verify_depth
2
; # 这里一定要注意,服务器证书上面有几级CA就写几
ssl_client_certificate chain.pem; # 证书链 用于验证客户端提供的证书
ssl_trusted_certificate 证书链;
location / {
proxy_pass https:
//tomcat_backend;
include proxy.conf;
}
|
Nginx passes the client certificate through the HTTP header to the back-end tomcat. Configuring in the Proxy.conf file
12345678910111213141516171819 |
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout
30
;
proxy_send_timeout
15
;
proxy_read_timeout
15
;
proxy_buffer_size 4k;
proxy_buffers
4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客户端认证,则nginx与tomcat建立连接时会把该证书发送给tomcat
proxy_ssl_certificate_key localhost.key;
proxy_ssl_trusted_certificate chain.pem; # 如果启用了proxy_ssl_verify,则使用该文件中的CA公钥验证后端tomcat的证书
proxy_ssl_verify on; # nginx是否验证后端tomcat的证书
proxy_ssl_verify_depth
2
;
|
For information about generating CA certificates, client certificates, and server certificates, see Implementing SSL bidirectional Authentication in JEE projects
From for notes (Wiz)
Nginx, Tomcat, SSL, two-way authentication