我希望使用 Nginx 作为前端 SSL 代理并使用 Letsencrypt 证书,同时使用其他(自签名)证书限制客户端对某些后端服务器的访问。我无法同时使用 Letsencrypt,因为它不提供客户端证书。如何使用两个不同的证书链,Letsencrypt 用于保护流量,自签名用于客户端身份验证?我在 Nginx v1.11 中读到SSL 证书指令可以多次指定,我尝试了下面的配置,但浏览器拒绝连接。我怀疑这是因为浏览器呈现了错误的链。
server {
listen 443 ssl;
server_name <frontend>;
include snippets/letsencrypt.conf; # <=== Letsencrypt certs
include snippets/ssl-params.conf;
# Mandatory certificate request setup, self-signed certs
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server_np.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location /secret {
proxy_pass http://192.168.122.100:80/secret;
proxy_redirect http://192.168.122.100:80/secret https://<frontend>/secret;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}
答案1
@Sven:实际上,建议的配置有效。@garethTheRed:是的,你是对的,ssl_certificate 和 ssl_client_certificate 是不相关的。
完整的工作配置。
server {
listen 443 ssl;
server_name <frontend>;
include snippets/ssl-params.conf;
ssl_certificate /etc/nginx/certs/letsencrypt_fullchain.crt;
ssl_certificate_key /etc/nginx/certs/letsencrypt.key;
# Mandatory certificate request setup, self-signed certs
ssl_client_certificate /etc/nginx/certs/ca_to_verify_agains_not-not_letsencrypt.crt;
ssl_crl /etc/nginx/certs/ca_to_verify_agains_not-not_letsencrypt.crl;
ssl_verify_client on;
location /secret {
proxy_pass http://192.168.122.100:80/secret;
proxy_redirect http://192.168.122.100:80/secret https://<frontend>/secret;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
}