十年网站开发经验 + 多家企业客户 + 靠谱的建站团队
量身定制 + 运营维护+专业推广+无忧售后,网站问题一站解决
nginx中怎么实现双向认证,很多新手对此不是很清楚,为了帮助大家解决这个难题,下面小编将为大家详细讲解,有这方面需求的人可以来学习下,希望你能有所收获。
专注于为中小企业提供网站设计、网站建设服务,电脑端+手机端+微信端的三站合一,更高效的管理,为中小企业永定免费做网站提供优质的服务。我们立足成都,凝聚了一批互联网行业人才,有力地推动了近1000家企业的稳健成长,帮助中小企业通过网站建设实现规模扩充和转变。
客户端证书生成:
1)创建根证私钥
openssl genrsa -out root-key.key 2048
2)创建根证书请求文件
openssl req -new -out root-req.csr -key root-key.key
具体如下
[root@localhost sslKey]# openssl req -new -out root-req.csr -key root-key.key You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:dc Organizational Unit Name (eg, section) []:dc Common Name (eg, your name or your server's hostname) []:root Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
其中国家,省市,公司等需要和后面的证书保持一致.后面challenge password的地方直接回车就好
3)自签根证书
openssl x509 -req -in root-req.csr -out root-cert.cer -signkey root-key.key -CAcreateserial -days 3650
4)生成p12格式根证书,密码填写123456
openssl pkcs12 -export -clcerts -in root-cert.cer -inkey root-key.key -out root.p12
至此客户端证书生成完毕。
我们得到root-cert.cer 和 root.p12,将root.p12导入至浏览器,在nignx中开启客户端认证
server { listen 443; server_name abc.com; ssl on; ssl_certificate cert/server.pem; ssl_certificate_key cert/server.key; ssl_client_certificate cert/root.cer; #本文生成cer文件 ssl_verify_client on; #开启校验 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; client_max_body_size 10m; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass http://192.168.0.138:8081; } }
看完上述内容是否对您有帮助呢?如果还想对相关知识有进一步的了解或阅读更多相关文章,请关注创新互联行业资讯频道,感谢您对创新互联的支持。