SSL双向认证(也称为客户端证书认证)要求客户端和服务器都提供证书进行验证。以下是配置Nginx实现SSL双向认证的详细步骤:
首先确保你已经拥有: - 服务器证书和私钥 - CA(证书颁发机构)的根证书 - 用于验证客户端的CA证书
server {
listen 443 ssl;
server_name yourdomain.com;
# 服务器证书和私钥
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
# 启用SSL会话缓存以提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 指定支持的协议和加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
ssl_prefer_server_ciphers on;
}
server {
# ... 上面的基础配置
# 开启客户端证书验证
ssl_verify_client on;
# 指定信任的CA证书(用于验证客户端证书)
ssl_client_certificate /path/to/ca.crt;
# 验证深度(可选,默认为1)
ssl_verify_depth 2;
# 如果验证失败返回的状态码(可选)
ssl_verify_client optional_no_ca;
}
location /secure {
ssl_verify_client on;
# 其他配置...
}
location / {
# 将客户端证书信息传递给后端
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
}
ssl_crl /path/to/crl.pem;
server {
listen 443 ssl;
server_name secure.example.com;
# 服务器证书
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
# SSL优化参数
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
ssl_prefer_server_ciphers on;
# 双向认证配置
ssl_verify_client on;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_depth 2;
# 传递给后端的信息
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
location / {
root /var/www/html;
try_files $uri $uri/ =404;
}
location /api {
# 更严格的验证
ssl_verify_client optional_no_ca;
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://backend;
}
}
openssl s_client -connect yourdomain.com:443 -cert client.crt -key client.key -CAfile ca.crt
curl --cert client.crt --key client.key --cacert ca.crt https://yourdomain.com
证书验证失败:
性能问题:
错误日志查看:
tail -f /var/log/nginx/error.log
通过以上配置,你可以成功在Nginx上实现SSL双向认证,增强服务的安全性。