我想发送客户端证书中的 DN 字段($ssl_client_s_dn),但我想以加密方式发送。
在问题中nginx 将查询参数附加到 React 应用程序解释了如何向 React 应用程序添加参数使用改写和try_files以及如何预防无限重写重定向循环。
但我不知道如何加密这个变量($ssl_client_s_dn)。
我的配置文件是
server {
listen 9999 ssl default_server;
listen [::]:9999 ssl default_server;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /keystores/mycert.crt.pem; ##
ssl_certificate_key /keystores/mycert.key.pem; ##
ssl_client_certificate /keystores/.npm.certs.pem; ## CA Bundle
ssl_verify_client on;
root /home/edu/my-react-app;
index index.html;
server_name _;
location / {
try_files $uri $uri/ /index.html =404;
}
location = /login {
if ($arg_DN = "") {
rewrite ^ /login?DN=$ssl_client_s_dn redirect;
}
try_files /index.html =404;
}
}
有啥帮助吗?谢谢
答案1
首先我用过njs 模块,所以我不得不添加到文件顶部/etc/nginx/nginx.conf这两行:
load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;
我创建了一个小型的 javascript 文件(/etc/nginx/conf.d/njs/ximo.js)将变量转换为Base64
function dnencrypted(r) {
var dn = r.variables.ssl_client_s_dn; //get dn
return btoa(dn); // convert to Base64
}
export default {dnencrypted};
现在我添加了对此 javascript 文件和变量的引用$dnencrypted在第二个配置文件中(/etc/nginx/conf.d/默认.conf)
# 1. References to the javascript file and the variable
js_path "/etc/nginx/conf.d/njs";
js_import main from ximo.js;
js_set $dnencrypted main.dnencrypted;
server {
listen 9999 ssl default_server;
listen [::]:9999 ssl default_server;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /keystores/mycert.crt.pem; ##
ssl_certificate_key /keystores/mycert.key.pem; ##
ssl_client_certificate /keystores/.npm.certs.pem; ## CA Bundle
ssl_verify_client on;
root /home/edu/my-react-app;
index index.html;
server_name _;
location / {
try_files $uri $uri/ /index.html =404;
}
location = /login {
# 2. Add the query param obtained with the variable form the javascript file
if ($arg_dncncrypted = "") {
rewrite ^ /login?dnencrypted=$dnencrypted redirect;
}
try_files /index.html =404;
}
}
这个变量的混淆非常弱。此答案只是大概意思。要获得强大的加密,必须使用其他加密库!