sillycat
- 浏览: 2558084 次
- 性别:
- 来自: 成都
-
文章分类
最新评论
-
nation:
你好,在部署Mesos+Spark的运行环境时,出现一个现象, ...
Spark(4)Deal with Mesos -
sillycat:
AMAZON Relatedhttps://www.godad ...
AMAZON API Gateway(2)Client Side SSL with NGINX -
sillycat:
sudo usermod -aG docker ec2-use ...
Docker and VirtualBox(1)Set up Shared Disk for Virtual Box -
sillycat:
Every Half an Hour30 * * * * /u ...
Build Home NAS(3)Data Redundancy -
sillycat:
3 List the Cron Job I Have>c ...
Build Home NAS(3)Data Redundancy
AMAZON API Gateway(2)Client Side SSL with NGINX or NodeJS
1 API Gateway to Connect to AWS API
https://aws.amazon.com/api-gateway/faqs/
Can Amazon API Gateway work within an Amazon VPC?
Can I verify that it is API Gateway calling my backend?
SSL for LB
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-cert.html#us-update-lb-SSLcert-console
Client side SSL
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Client SSL for NodeJS
http://www.graemeboy.com/validating-https-nodejs
Client Side SSL for Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
https://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/
https://gist.github.com/mtigas/952344
2 Stop the Apache on my Local for 80 Port
sudo apachectl stop
3 Start with NGINX
Start the nginx server
> sudo sbin/nginx
I install the latest stable version of nginx nginx-1.6.3
Error Message 1:
nginx: [emerg] unknown directive "ssl_client_certificate" in /home/carl/tool/nginx-1.6.3/conf/nginx.conf:43
Solution:
http://sillycat.iteye.com/blog/2074417
> ./configure --with-http_stub_status_module --with-http_ssl_module --prefix=/home/carl/tool/nginx-1.6.3
http://suoranciata.github.io/ssl-client-auth.html
4 Configure the Client Side Certificate Validation
http://suoranciata.github.io/ssl-client-auth.html
http://stackoverflow.com/questions/11840873/how-to-proxy-http-x-ssl-client-s-dn-header
This is the mock server output all the headers:
require('http').createServer(function(req, res) {
res.writeHead(200)
res.write("<pre>")
res.write(req.method + " " + req.url + " HTTP/" + req.httpVersion + "\n")
for (var name in req.headers) {
res.write(name + ": " + req.headers[name] + "\n")
}
res.end("</pre>")
}).listen(8080)
This is the output
GET / HTTP/1.0
x-ssl-client-verify: NONE
host: 127.0.0.1:8080
connection: close
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8,zh-TW;q=0.6,zh;q=0.4
This is the nginx.conf file, it seems that I need to make the ssl on to make it work.
ssl on;
ssl_certificate /home/carl/install/keys/ca.crt;
ssl_certificate_key /home/carl/install/keys/ca.key;
ssl_client_certificate /opt/nginx/conf/certs/ca.crt;
ssl_verify_depth 1;
ssl_verify_client optional;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-SSL-client-serial $ssl_client_serial;
proxy_set_header X-SSL-client-s-dn $ssl_client_s_dn;
proxy_set_header X-SSL-client-i-dn $ssl_client_i_dn;
proxy_set_header X-SSL-client-session-id $ssl_session_id;
proxy_set_header X-SSL-client-verify $ssl_client_verify;
}
If I need client side certificate validation, I need to to have ssl on, it is a little complex than I thought. Reading more documents.
If I want to do that within nodeJS.
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/home/carl/install/keys/ca.key'),
cert: fs.readFileSync('/home/carl/install/keys/ca.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [ fs.readFileSync('ssl/ca.crt') ]
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.write("Hello.\n");
if(req.client.authorized) {
res.write('Access granted.\n');
}
else {
res.write('Access denied.\n');
}
res.end();
}).listen(8081);
Hello.
Access denied.
References:
https://gist.github.com/mtigas/952344
http://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain
1 API Gateway to Connect to AWS API
https://aws.amazon.com/api-gateway/faqs/
Can Amazon API Gateway work within an Amazon VPC?
Can I verify that it is API Gateway calling my backend?
SSL for LB
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-cert.html#us-update-lb-SSLcert-console
Client side SSL
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Client SSL for NodeJS
http://www.graemeboy.com/validating-https-nodejs
Client Side SSL for Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
https://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/
https://gist.github.com/mtigas/952344
2 Stop the Apache on my Local for 80 Port
sudo apachectl stop
3 Start with NGINX
Start the nginx server
> sudo sbin/nginx
I install the latest stable version of nginx nginx-1.6.3
Error Message 1:
nginx: [emerg] unknown directive "ssl_client_certificate" in /home/carl/tool/nginx-1.6.3/conf/nginx.conf:43
Solution:
http://sillycat.iteye.com/blog/2074417
> ./configure --with-http_stub_status_module --with-http_ssl_module --prefix=/home/carl/tool/nginx-1.6.3
http://suoranciata.github.io/ssl-client-auth.html
4 Configure the Client Side Certificate Validation
http://suoranciata.github.io/ssl-client-auth.html
http://stackoverflow.com/questions/11840873/how-to-proxy-http-x-ssl-client-s-dn-header
This is the mock server output all the headers:
require('http').createServer(function(req, res) {
res.writeHead(200)
res.write("<pre>")
res.write(req.method + " " + req.url + " HTTP/" + req.httpVersion + "\n")
for (var name in req.headers) {
res.write(name + ": " + req.headers[name] + "\n")
}
res.end("</pre>")
}).listen(8080)
This is the output
GET / HTTP/1.0
x-ssl-client-verify: NONE
host: 127.0.0.1:8080
connection: close
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8,zh-TW;q=0.6,zh;q=0.4
This is the nginx.conf file, it seems that I need to make the ssl on to make it work.
ssl on;
ssl_certificate /home/carl/install/keys/ca.crt;
ssl_certificate_key /home/carl/install/keys/ca.key;
ssl_client_certificate /opt/nginx/conf/certs/ca.crt;
ssl_verify_depth 1;
ssl_verify_client optional;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-SSL-client-serial $ssl_client_serial;
proxy_set_header X-SSL-client-s-dn $ssl_client_s_dn;
proxy_set_header X-SSL-client-i-dn $ssl_client_i_dn;
proxy_set_header X-SSL-client-session-id $ssl_session_id;
proxy_set_header X-SSL-client-verify $ssl_client_verify;
}
If I need client side certificate validation, I need to to have ssl on, it is a little complex than I thought. Reading more documents.
If I want to do that within nodeJS.
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/home/carl/install/keys/ca.key'),
cert: fs.readFileSync('/home/carl/install/keys/ca.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [ fs.readFileSync('ssl/ca.crt') ]
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.write("Hello.\n");
if(req.client.authorized) {
res.write('Access granted.\n');
}
else {
res.write('Access denied.\n');
}
res.end();
}).listen(8081);
Hello.
Access denied.
References:
https://gist.github.com/mtigas/952344
http://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain
分享到:
评论
1 楼
sillycat
2016-02-09
AMAZON Related
https://www.godaddy.com/help/generating-a-certificate-signing-request-csr-apache-2x-5269
https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
https://www.godaddy.com/help/generating-a-certificate-signing-request-csr-apache-2x-5269
https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
发表评论
-
Stop Update Here
2020-04-28 09:00 321I will stop update here, and mo ... -
NodeJS12 and Zlib
2020-04-01 07:44 483NodeJS12 and Zlib It works as ... -
Docker Swarm 2020(2)Docker Swarm and Portainer
2020-03-31 23:18 373Docker Swarm 2020(2)Docker Swar ... -
Docker Swarm 2020(1)Simply Install and Use Swarm
2020-03-31 07:58 373Docker Swarm 2020(1)Simply Inst ... -
Traefik 2020(1)Introduction and Installation
2020-03-29 13:52 342Traefik 2020(1)Introduction and ... -
Portainer 2020(4)Deploy Nginx and Others
2020-03-20 12:06 434Portainer 2020(4)Deploy Nginx a ... -
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
2020-03-18 00:56 441Private Registry 2020(1)No auth ... -
Docker Compose 2020(1)Installation and Basic
2020-03-15 08:10 379Docker Compose 2020(1)Installat ... -
VPN Server 2020(2)Docker on CentOS in Ubuntu
2020-03-02 08:04 461VPN Server 2020(2)Docker on Cen ... -
Buffer in NodeJS 12 and NodeJS 8
2020-02-25 06:43 391Buffer in NodeJS 12 and NodeJS ... -
NodeJS ENV Similar to JENV and PyENV
2020-02-25 05:14 484NodeJS ENV Similar to JENV and ... -
Prometheus HA 2020(3)AlertManager Cluster
2020-02-24 01:47 428Prometheus HA 2020(3)AlertManag ... -
Serverless with NodeJS and TencentCloud 2020(5)CRON and Settings
2020-02-24 01:46 340Serverless with NodeJS and Tenc ... -
GraphQL 2019(3)Connect to MySQL
2020-02-24 01:48 253GraphQL 2019(3)Connect to MySQL ... -
GraphQL 2019(2)GraphQL and Deploy to Tencent Cloud
2020-02-24 01:48 454GraphQL 2019(2)GraphQL and Depl ... -
GraphQL 2019(1)Apollo Basic
2020-02-19 01:36 330GraphQL 2019(1)Apollo Basic Cl ... -
Serverless with NodeJS and TencentCloud 2020(4)Multiple Handlers and Running wit
2020-02-19 01:19 317Serverless with NodeJS and Tenc ... -
Serverless with NodeJS and TencentCloud 2020(3)Build Tree and Traverse Tree
2020-02-19 01:19 323Serverless with NodeJS and Tenc ... -
Serverless with NodeJS and TencentCloud 2020(2)Trigger SCF in SCF
2020-02-19 01:18 298Serverless with NodeJS and Tenc ... -
Serverless with NodeJS and TencentCloud 2020(1)Running with Component
2020-02-19 01:17 314Serverless with NodeJS and Tenc ...
相关推荐
然后在 Nginx 配置中添加 `ssl` 相关指令。 ```nginx server { listen 443 ssl; # 使用443端口 server_name yourdomain.com; ssl_certificate /path/to/your/certificate.crt; # 替换为你的证书路径 ssl_...
2. **安装或重新安装Nginx**:按照Nginx的官方指南进行编译和安装,例如:`./configure --with-http_ssl_module --with-http_stub_status_module`,然后执行`make && make install`。 3. **编辑Nginx配置文件**:...
"Linux 生成 SSL 证书供 nginx 使用" Linux 生成 SSL 证书供 nginx 使用是指通过 OpenSSL 命令生成 SSL 证书的过程,这个过程包括生成私钥、证书请求文件、证书文件和配置 nginx 使用证书。 首先,生成私钥文件...
apigateway 基于Openresty和NGINX的高性能API网关。目录地位当前项目被认为可以投入生产。快速开始单机版$ docker run --name= " apigateway " \ -p 80:80 \ -e " LOG_LEVEL=info " \ adobeapiplatform/apigateway:...
nginx-ssl-client 使用nginx创建用于客户端证书身份验证的简单测试服务器。 脚步 检查certs / README.md以了解如何创建证书。 (选择)。 将nginx / ssl-client.conf设置为ssl_verify_client optional; 测试服务器...
linux安装nginx并支持ssl,使得服务器支持证书签名,提升应用的安全性
2. 编辑配置文件:修改 `nginx.conf` 或者创建新的虚拟主机配置,定义代理监听端口和上游服务器(即API接口的地址)。 3. 设置代理:在 Nginx 配置中,使用 `proxy_pass` 指令指定上游服务器。 4. 配置代理头:确保...
ssl自制全套证书(包含服务器端、客户端、ca端的证书,格式有.crt,.key,.truststore,.keystore,.p12,.cer,.pem等类型),当时要配置webservice接口、tomca、nginx通过ssl访问的证书,弄了好久才生成了一套能使用的。...
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-ipv6 集成了SSL的编译好的nginx文件,放在/usr/local/nginx/sbin/目录下(nginx需停止状态),启动nginx
### Nginx双向SSL认证配置详解 #### 一、引言 随着网络安全意识的提高,SSL/TLS协议在Web服务器中的应用越来越广泛。双向SSL认证不仅保护了服务器免受未授权访问,还确保了客户端的身份安全可靠。本文将详细介绍...
Nginx基于SSL协议下,利用http basic身份验证,可以实现简单访问WebApi,达到集群负载均衡的效果。通过简单的设计,在局域网上应用还是够用的。当然,身份认证方式有很多种,使用redis、token都是可以的。WebApi基于...
**Nginx SSL双向认证配置详解** 在网络安全日益重要的今天,服务器与客户端之间的通信安全成为了一个不可忽视的问题。本文将详细介绍如何在Nginx服务器上配置SSL双向认证,以提高服务器的安全性,允许只有经过验证...
- **创建 ssl 文件夹**:在 Nginx 安装目录下创建 `ssl` 文件夹,例如 `C:\wnmp\nginx\ssl`。 - **以管理员身份打开命令提示符**,并进入 `ssl` 文件夹。 ```shell cd c:/wnmp/nginx/ssl ``` - **创建私钥**:...
Nginx完整配置说明 Nginx是当前最流行的Web服务器软件之一,常用于搭建Web服务器、反向代理服务器、负载均衡器等。下面是Nginx的完整配置说明,涵盖基本配置、反向代理、FastCGI等方面的知识点。 一、基本配置 在...
标题 "5分钟完成nginx ssl配置" 暗示了我们将探讨如何快速地为Nginx Web服务器配置SSL(Secure Socket Layer)以实现HTTPS安全连接。Nginx是一款高性能的HTTP和反向代理服务器,广泛应用于互联网,而SSL/TLS协议则是...
Nginx配置SSL证书以监听443端口的方法是网络安全和Web服务器管理中的一项重要技能。443端口是HTTP安全套接字层(HTTPS)服务的标准端口,而SSL(安全套接字层)是一种安全协议,用于为互联网通信加密,保障数据传输...
2. **软件资源**:包括SSL/TLS协议的支持库,例如OpenSSL,以及Web服务器软件,如Nginx。此外,可能还需要特定的SSL卸载软件,如TASSL,它提供了对国密算法的支持。 **主要步骤** 1. **TASSL安装与测试** - **...
2. **下载SSL证书**: - 审核通过后,下载证书文件,通常包含一个.pem格式的公钥证书和一个.key格式的私钥文件。对于Nginx,可能还需要一个.crt或者.cer文件。 3. **配置Nginx**: - 编辑Nginx配置文件(如`/etc/...
"本地nginx部署ssl.rar"这个压缩包文件显然包含了关于如何在本地nginx服务器上配置SSL的详细步骤和资源。 Nginx是一款高性能的HTTP和反向代理服务器,广泛用于网站服务器和负载均衡配置。它以其稳定性、高性能和...
### Nginx 和 Tomcat 配置 SSL 与负载均衡详解 #### 一、Nginx 支持 SSL 的确认方法 Nginx 支持 SSL 加密是现代 Web 服务器的基本需求之一,确保数据传输的安全性。首先,我们需要确认当前安装的 Nginx 版本是否...