2
我無法通過nginx設置具有客戶端證書身份驗證的websocket應用程序的反向代理;到目前爲止,我已經獲得了服務器SSL證書的正常工作。這裏是我到此爲止了客戶端驗證:通過nginx代理與客戶端身份驗證的SSL websockets代理
創建客戶端證書:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey \
ca.key -set_serial 01 -out client.crt
配置nginx的:
daemon off;
events {
worker_connections 4096;
}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443;
ssl on;
server_name rserve;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
# ssl_client_certificate /etc/nginx/certs/ca.crt;
# ssl_verify_client on;
location/{
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
如果啓用SSL客戶端的東西的事情停止工作。在我使用的是碼頭實現(JAVA)的客戶,我輸入端證書到密鑰庫中與這條線:
keytool -import -trustcacerts -keystore keystore.jks \
-storepass changeit -noprompt -alias client -file client.crt
此過程工作了自簽名證書的服務器。在客戶端上報告失敗是因爲交換協議失敗,這與我以前代表SSL握手的失敗一致 - 被代理的應用程序僅僅是websocket。