?使用nginx進(jìn)行雙向認(rèn)證���,可以實現(xiàn)吊銷客戶端證書��。
公司主營業(yè)務(wù):網(wǎng)站制作����、網(wǎng)站建設(shè)��、移動網(wǎng)站開發(fā)等業(yè)務(wù)�。幫助企業(yè)客戶真正實現(xiàn)互聯(lián)網(wǎng)宣傳,提高企業(yè)的競爭能力�����。創(chuàng)新互聯(lián)公司是一支青春激揚(yáng)��、勤奮敬業(yè)����、活力青春激揚(yáng)��、勤奮敬業(yè)�����、活力澎湃��、和諧高效的團(tuán)隊�。公司秉承以“開放���、自由���、嚴(yán)謹(jǐn)、自律”為核心的企業(yè)文化�����,感謝他們對我們的高要求�����,感謝他們從不同領(lǐng)域給我們帶來的挑戰(zhàn)��,讓我們激情的團(tuán)隊有機(jī)會用頭腦與智慧不斷的給客戶帶來驚喜���。創(chuàng)新互聯(lián)公司推出望城免費(fèi)做網(wǎng)站回饋大家�����。
?在k8s中用ingress配置tls可以實現(xiàn)客戶端認(rèn)證�����,但吊銷功能是不正常的�,反復(fù)測試未能實現(xiàn)(k8s1.14.8版本)
1 nginx實現(xiàn)Https雙向認(rèn)證
????雙向認(rèn)證可自主實現(xiàn)���,與機(jī)構(gòu)簽發(fā)的服務(wù)器server證書無關(guān)�,即只需要自己創(chuàng)建ca和client證書即可��。
????如果沒有機(jī)構(gòu)簽發(fā)的證書���,也可以用自建的ca簽發(fā)自己本地的server證書����,然后再簽發(fā)client��,實現(xiàn)本地環(huán)境的雙向認(rèn)證,常用于測試中�����。
1.1 準(zhǔn)備nginx環(huán)境
??安裝nginx
??yum?-y?install?gcc?gcc-c++?make?libtool?zlib?zlib-devel?openssl?openssl-devel?pcre?pcre-devel
??rpm?-ivh?http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
??yum?install?nginx?-y?
??nginx?-v
??systemctl?start?nginx
1.2 配置nginx
????修改nginx配置文件�,已規(guī)劃好證書路徑名稱等
????vi??/etc/nginx/conf.d/443.conf?
????其中ca.crl是吊銷文件,在執(zhí)行吊銷后再啟用該配置
server?{
???????listen?443?ssl;
???????server_name?www.younihao.com;
?????
???????ssl_certificate???????????/etc/nginx/ca/server/server.crt;
???????ssl_certificate_key???????/etc/nginx/ca/server/server.key;
???????ssl_client_certificate????/etc/nginx/ca/private/ca.crt;
??????
???????ssl_session_timeout?5m;
???????ssl_verify_client?on;
???????
???????ssl_protocols?TLSv1?TLSv1.1?TLSv1.2;
???????ssl_ciphers?ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
???????ssl_prefer_server_ciphers?on;
#??????ssl_crl?/etc/nginx/ca/private/ca.crl;
?
???????charset?utf-8;
???????access_log?logs/host.access.log?main;
???????error_page?500?502?503?504?/50x.html;
???????location?=?/50x.html?{
???????????root?html;
???????}
?
???????location?=?/favicon.ico?{
???????????log_not_found?off;
???????????access_log?off;
???????????expires?90d;
???????}
???????location?/?{
????????root???/usr/share/nginx/html;
????????index??index.html?index.htm;
????}
????}1.3 創(chuàng)建自簽CA����,server,client證書
????1.3.1 創(chuàng)建證書目錄
cd?/etc/nginx/
mkdir?ca
cd?ca/
mkdir?newcerts?private?conf?server?users
? ? 1.3.2 創(chuàng)建openssl配置文件
vi?/etc/nginx/ca/conf/openssl.conf
[?ca?]
default_ca?=?myserver
?
[?myserver?]
dir?=?/etc/nginx/ca
database?=?/etc/nginx/ca/index.txt
new_certs_dir?=?/etc/nginx/ca/newcerts
certificate?=?/etc/nginx/ca/private/ca.crt
serial?=?/etc/nginx/ca/serial
private_key?=?/etc/nginx/ca/private/ca.key
RANDFILE?=?/etc/nginx/ca/private/.rand
?
default_days?=?3650
default_crl_days?=?3650
default_md?=?sha256
unique_subject?=?no
?
policy?=?policy_any
?
[?policy_any?]
countryName?=?match
stateOrProvinceName?=?match
organizationName?=?match
localityName?=?optional
commonName?=?supplied
emailAddress?=?optional
????1.3.3 生成ca��,server��,client證書
?生成ca
?openssl?genrsa?-out?/etc/nginx/ca/private/ca.key?
?openssl?req?-new?-key?/etc/nginx/ca/private/ca.key?-out?private/ca.csr
?openssl?x509?-req?-days?3650?-in?/etc/nginx/ca/private/ca.csr?-signkey?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/private/ca.crt
?
?設(shè)置起始序列號
?echo?FACE?>?/etc/nginx/ca/serial
?創(chuàng)建CA鍵庫
?touch?/etc/nginx/ca/index.txt
?創(chuàng)建一個證書撤銷列表
?openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-crldays?3670?-config?"/etc/nginx/ca/conf/openssl.conf"
?
?生成自簽server證書
?openssl?genrsa?-out?/etc/nginx/ca/server/server.key?2048
?openssl?req?-new?-key?/etc/nginx/ca/server/server.key?-out?/etc/nginx/ca/server/server.csr
?openssl?ca?-in?/etc/nginx/ca/server/server.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/server/server.crt?-config?"/etc/nginx/ca/conf/openssl.conf"
?
?生成client證書
?openssl?genrsa?-out?/etc/nginx/ca/users/client.key?2048
?openssl?req?-new?-key?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.csr
?openssl?ca?-in?/etc/nginx/ca/users/client.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/users/client.crt?-config?"/etc/nginx/ca/conf/openssl.conf"
上面req在創(chuàng)建證書請求文件的時候��,需要輸入一系列的參數(shù)可參看下圖
其中Common?Name項����,server證書請求時需要填域名,ca與client不做要求�;其他項保持一致。
????1.3.4 將客戶端證書轉(zhuǎn)換成PKCS12文件
????生成該文件時候需要設(shè)置一個密碼��,瀏覽器添加該證書時候會用到�。
openssl?pkcs12?-export?-clcerts?-in?/etc/nginx/ca/users/client.crt?-inkey?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.p12
1.4 驗證測試雙向認(rèn)證
???1.4.1 修改好了nginx配置�,證書路徑名稱都準(zhǔn)確無誤
????????nginx -t? ?#檢查配置語法格式
????????nginx -s reload? ##加載新配置
????1.4.2 下載client.p12文件
????????sz /etc/nginx/ca/users/client.p12
????1.4.3 瀏覽器添加客戶端證書
????????????每個瀏覽器方法不一樣�,自行百度p12證書文件導(dǎo)入�����,導(dǎo)入證書后重啟瀏覽器����。
????????????瀏覽器訪問https://www.younihao.com?會跳出證書選擇頁面,選定myclient證書�����,就可以正常訪問啦
????????????沒有證書訪問會得到400?Bad Request(No required SSL certificate was?sent)錯誤
?1.5 吊銷客戶端證書
? ? 1.5.1 查看serial號
openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject
[root@loaclhost?]#?openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject
serial=FACF???##查到serial號是FACF
subject=?/C=cn/ST=henan/O=supercom/L=zhengzhou/CN=myclient
????1.5.2 創(chuàng)建crlnumber
echo?01?>?crlnumber ##第一次增加這個
????1.5.3 ssl增加吊銷配置
vi?/etc/nginx/ca/conf/openssl.conf??##增加下面配置
crlnumber=?/etc/nginx/ca/crlnumber
????1.5.4 執(zhí)行吊銷client證書
openssl?ca?-revoke?/etc/nginx/ca/newcerts/FACF.pem?-config?"/etc/nginx/ca/conf/openssl.conf"
????1.5.5 重新乘車crl吊銷列表
openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-config?"/etc/nginx/ca/conf/openssl.conf"
查看吊銷是否成功
openssl?crl?-in?/etc/nginx/ca/private/ca.crl?-noout?-text
????1.5.6 調(diào)整nginx參數(shù)
vi?/etc/nginx/conf.d/443.conf?##增加啟用crl配置
ssl_crl?/etc/nginx/ca/private/ca.crl;
nginx?-t??#驗證重啟
nginx?-s?reload
????1.5.7 驗證吊銷結(jié)果
????登錄瀏覽器再次訪問���,選擇對應(yīng)證書��,依舊被拒絕訪問即為成功���。
1.6 nginx認(rèn)證參考
https://blog.csdn.net/rexueqingchun/article/details/82251563
https://help.aliyun.com/document_detail/54508.html?spm=5176.2020520152.0.0.61bb16ddEk6YWC
2?ingress實現(xiàn)Https雙向認(rèn)證(無吊銷功能)
?2.1這里是ingress示例
apiVersion:?extensions/v1beta1
kind:?Ingress
metadata:
??annotations:
????nginx.ingress.kubernetes.io/auth-tls-verify-client:?"on"
????nginx.ingress.kubernetes.io/auth-tls-secret:?"default/ca-secret"
????nginx.ingress.kubernetes.io/auth-tls-verify-depth:?"1"
????nginx.ingress.kubernetes.io/auth-tls-error-page:?"http://www.mysite.com/error-cert.html"
????nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:?"true"
??name:?nginx-test
??namespace:?default
spec:
??rules:
??-?host:?mydomain.com
????http:
??????paths:
??????-?backend:
??????????serviceName:?http-svc
??????????servicePort:?80
????????path:?/
??tls:
??-?hosts:
????-?mydomain.com
????secretName:?tls-secret
???
?2.2 創(chuàng)建tls-secret和ca-secret
tls-secret可以使用自建的,也可以使用機(jī)構(gòu)簽發(fā)的服務(wù)器證書
kubectl?create?secret?generic?tls-secret?--from-file=tls.crt=server.crt?--from-file=tls.key=server.key
ca-secret到自己的ca目錄創(chuàng)建
cd?/etc/nginx/ca/private
kubectl?create?secret?generic?ca-secret?--from-file=ca.crt=ca.crt
然后創(chuàng)建ingress
kubectl?create?-f?ingress.yaml
?2.3 添加其他annotations
ingress?跨域問題?需要在ingress中添加配置下面annotations
???nginx.ingress.kubernetes.io/cors-allow-headers:?>-
??????DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
????nginx.ingress.kubernetes.io/cors-allow-methods:?'PUT,?GET,?POST,?OPTIONS'
????nginx.ingress.kubernetes.io/cors-allow-origin:?'*'
????nginx.ingress.kubernetes.io/enable-cors:?'true'
????
ingress??強(qiáng)制443?
????nginx.ingress.kubernetes.io/ssl-redirect:?'true'
ingress?白名單訪問
????nginx.ingress.kubernetes.io/whitelist-source-range:?'192.168.5.3'
???
?2.4 ingress 可參考
https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/
https://kubernetes.github.io/ingress-nginx/examples/PREREQUISITES/#client-certificate-authentication
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
名稱欄目:nginx與ingress配置HTTPS雙向認(rèn)證
當(dāng)前鏈接:
http://weahome.cn/article/pchhsi.html
重慶分公司
重慶分公司
