Nginx - SSL、HSTS 和代理请求到不同的 CN

tag-icon tag-icon nginx ssl reverse-proxy azure
Nginx - SSL、HSTS 和代理请求到不同的 CN

我们使用 Nginx 作为反向代理,并希望允许网站访问者从 Azure Blob 下载文件

            server {
            listen 443;
            ssl_certificate /sslcert/ssl.crt;
            ssl_certificate_key /sslcert/com.key;
            server_name get.domain.com;

            location / {

            proxy_redirect  off;
            proxy_pass   http://oururl.blob.core.windows.net/;
            }

但是,HSTS 不允许此请求,因为后端提供的证书(?)具有不同的通用名称。即使禁用 HSTS,我们仍然会看到有关主机真实性的警告。

奇怪的是,我们在本地后端使用 proxy_pass 时没有任何问题。

作品:

/home/user# curl get.domain.com
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidQueryParameterValue</Code><Message>Value for one of the query parameters specified in the request URI is invalid.

不起作用:

/home/user# curl https://get.domain.com
curl: (51) SSL: no alternative certificate subject name matches target host name 'get.domain.com'

最后,是的,我们知道 Azure 存储的子域屏蔽功能。我们没有使用它,因为我们将子域全面转发到 Nginx IP 进行自定义处理。

更新:

curl -k -v get.domain.com
    * Hostname was NOT found in DNS cache
    *   Trying 140.17.8.10...
    * Connected to get.domain.com (140.17.8.10) port 443 (#0)
    * successfully set certificate verify locations:
    *   CAfile: none
      CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS handshake, Server key exchange (12):
    * SSLv3, TLS handshake, Server finished (14):
    * SSLv3, TLS handshake, Client key exchange (16):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSL connection using ECDHE-RSA-AES256-SHA384
    * Server certificate:
    *        subject: CN=*.blob.core.windows.net
    *        start date: 2015-06-10 01:45:43 GMT
    *        expire date: 2017-06-09 01:45:43 GMT
    *        issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT SSL SHA2
    *        SSL certificate verify ok.
    > GET /releases/RELEASES HTTP/1.1
    > User-Agent: curl/7.35.0
    > Host: get.domain.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < Content-Length: 79
    < Content-Type: application/octet-stream
    < Content-MD5: IK8vn1QxUXipiqosdijfdA==
    < Last-Modified: Tue, 05 Jan 2016 07:03:15 GMT
    < ETag: 0x8D3159E48B72E88
    * Server Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 is not blacklisted
    < Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    < x-ms-request-id: XXXXXX-XXXXX-XXXXXXXXXXXX
    < x-ms-version: 2009-09-19
    < x-ms-lease-status: unlocked
    < x-ms-blob-type: BlockBlob
    < Date: Sat, 09 Jan 2016 06:46:43 GMT
    <
    * Connection #0 to host get.domain.com left intact

相关内容