我们有一个不支持客户端证书的应用程序,必须使用经过客户端证书认证的 Web 服务。为了解决这个问题,我们尝试使用 Nginx 反向代理本地 (http) URL,我们的应用程序将访问远程 HTTPS 和经过客户端证书认证的服务。配置如下:
location /secure/api/ {
proxy_pass https://secure.webservice.com/secure/api/;
proxy_ssl_certificate /etc/ssl/api-client.crt;
proxy_ssl_certificate_key /etc/ssl/api-client.crt.key;
proxy_ssl_verify off;
}
尝试连接到反向代理 URL 时(http://our.proxy.com/secure/api/) 它只是坐在那里旋转。如果我们使用 wget 或 openssl 测试来自代理的连接,我们可以成功连接。
以下是 nginx/error.log 的片段:
2015/08/25 15:33:56 [info] 29810#0: *57 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:80
2015/08/25 15:34:05 [info] 29810#0: *53 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while reading response header from upstream, client: x.x.x.x, server: our.proxy.com, request: "GET /secure/api/ HTTP/1.1", upstream: "https://y.y.y.y:443/secure/api/", host: "our.proxy.com"
“客户端关闭连接”行令人担忧,我不确定连接的哪一侧正在关闭连接;客户端->代理或代理->上游。
此外,值得注意的是,tcpdump 确实显示 nginx 正在通过 443 发起与 secure.webservice.com 的连接。
我觉得弄清楚这一点的第一步是弄清楚哪一侧的连接正在关闭以及原因......想法?
提前致谢。
注意:xxxx是本地(私有)ip,yyyy是互联网(公共)ip。
答案1
关于此配置有几篇文章这里和这里。我们还使用 Nginx 的客户端 SSL 证书,并具有以下带有 http/https 重定向的工作配置:
#config for upstream app servers (not aware of SSL)
upstream appcluster {
server X.X.X.1:8000;
server X.X.X.2:8000;
}
# http-to-https redirect
server {
listen 80;
server_name localhost;
return 301 https://$server_name$request_uri;
}
# resolves SSL & client SSL here
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate <path to cert.pem>;
ssl_certificate_key <path to cert.key>;
ssl_client_certificate <path to CA authority to resolve client ssl - this is ca.crt>;
ssl_verify_client on;
...
# after ssl resolution forward to upstream cluster
location /restService {
...
proxy_pass http://appcluster/restService;
}
}