带有双向SSL到weblogic的nginx反向代理
我正在尝试使用nginx作为双向SSL/mutualssl的web逻辑的反向代理 客户端NGINX WebLogic服务器 客户端到NGINX双向SSL工作正常,但在上游连接到web逻辑时出现以下错误 nginx调试日志: 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 2 2014/08/16 22:40:53 [debug] 33741#0: timer delta: 5 2014/08/16 22:40:53 [debug] 33741#0: posted events 0000000000000000 2014/08/16 22:40:53 [debug] 33741#0: worker cycle 2014/08/16 22:40:53 [debug] 33741#0: kevent timer: 59840, changes: 0 2014/08/16 22:40:53 [debug] 33741#0: kevent events: 2 2014/08/16 22:40:53 [debug] 33741#0: kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 1 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream client: localhost, server: localhost, request: "GET /customers/~/xxxx/~/xxx/health HTTP/1.1", upstream: "https://xx.xx.xx.xxx:11211/customer-upstream/~/xxx/~/xxx/health/", host: "localhost:12121" 2014/08/16 22:40:53[调试]33741#0:*9 SSL握手处理程序:0 2014/08/16 22:40:53[调试]33741#0:*9 SSL(SSL)握手:-1 2014/08/16 22:40:53[调试]33741#0:*9 SSL(获取)错误:2 2014/08/16 22:40:53[调试]33741#0:计时器增量:5 2014/08/16 22:40:53[调试]33741#0:已发布事件0000000000000000 2014/08/16 22:40:53[调试]33741#0:工作周期 2014/08/16 22:40:53[调试]33741#0:kevent计时器:59840,更改:0 2014/08/16 22:40:53[调试]33741#0:kevent事件:2 2014/08/16 22:40:53[调试]33741#0:kevent:7:ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53[调试]33741#0:*9 kevent:7:ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53[调试]33741#0:*9 SSL握手处理程序:1 2014/08/16 22:40:53[调试]33741#0:*9 SSL(SSL)握手:0 2014/08/16 22:40:53[调试]33741#0:*9 SSL(获取)错误:1 SSL握手到上游时,SSL_do_handshake()失败(SSL:错误:14094410:SSL例程:SSL3_读取字节:sslv3警报握手失败:SSL警报编号40) 客户端:localhost,服务器:localhost,请求:“GET/customers/~/xxxx/~/xxx/health HTTP/1.1”,上游:https://xx.xx.xx.xxx:11211/customer-上游/~/xxx/~/xxx/health/”,主机:“localhost:12121” 以下是我的nginx上游配置: proxy_cache_path /opt/openresty/nginx/cache levels=1:2 keys_zone=data-cache:8m max_size=1000m inactive=600m; proxy_temp_path /opt/openresty/nginx/cache/tmp; upstream rs_backend { server xx.xx.xx.xxx:11211; } server { server_name localhost; listen 12121 ssl; ssl on; ssl_verify_client on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1; #ssl_ciphers SSL_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; #ssl_ciphers HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; ssl_prefer_server_ciphers on; proxy_ssl_session_reuse off; large_client_header_buffers 4 32K; ssl_certificate /etc/ssl/api-cert.pem; ssl_certificate_key /etc/ssl/api-cert.key; ssl_client_certificate /etc/ssl/api-cert.pem; location /customers/ { rewrite ^/customers/(.*) /customer-upstream/$1/ break; proxy_redirect off; proxy_ssl_verify on; proxy_ssl_verify_depth 4; proxy_ssl_trusted_certificate /etc/ssl/api-cert-nopass.pem; proxy_pass_header Server; proxy_http_version 1.1; proxy_set_header Connection Keep-Alive; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host localhost:11211; proxy_set_header Accept 'application/json;v=3'; proxy_pass https://xx.xx.xx.xxx:11211/; #proxy_pass https://rs_backend; } 代理缓存路径/opt/openresty/nginx/cache levels=1:2密钥\u区域=数据缓存:8m最大\u大小=1000m非活动=600m; 代理临时路径/opt/openresty/nginx/cache/tmp; 上游rs_后端{ 服务器xx.xx.xx.xxx:11211; } 服务器{ 服务器名称localhost; 听12121ssl; ssl-on; 在客户端上验证ssl; ssl_会话_缓存共享:ssl:1m; ssl_会话_超时10m; ssl_协议SSLv3 TLSv1 TLSv1.1 TLSv1.2; #ssl_协议TLSv1; #ssl密码ssl_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; #ssl_密码高:!MD5:!aNULL:!EDH:!CAMELLIA; ssl首选服务器上的密码; 代理\u ssl\u会话\u重用关闭; 大客户机头缓冲区4 32K; ssl_证书/etc/ssl/api-cert.pem; ssl证书密钥/etc/ssl/api-cert.key; ssl_客户端_证书/etc/ssl/api-cert.pem; 地点/客户/ { 重写^/customers/(.*)/客户上游/$1/中断; 代理_重定向关闭; 代理(ssl)验证(on);; 代理服务器\u ssl\u验证\u深度4; 代理ssl受信任证书/etc/ssl/api-cert-nopass.pem; 代理传递头服务器; proxy_http_版本1.1; 代理设置头连接保持活动状态; 代理集头X-Real-IP$remote\u addr; proxy\u set\u header X-Forwarded-For$proxy\u add\u X\u Forwarded\u For; 代理集头主机localhost:11211; 代理集头接受“application/json;v=3”; 代理通行证https://xx.xx.xx.xxx:11211/; #代理通行证https://rs_backend; } 我尝试了各种选择,包括在下面的配置中注释 proxy_ssl_verify on; proxy_ssl_verify_depth 4; 代理(ssl)验证(on);; 代理服务器\u ssl\u验证\u深度4; 如果我尝试使用openssl c_客户端命令行,我就能够连接并获得HTTP get请求的2xx响应 openssl c_client -connect xx.xx.xx.xxx:11211 -cert api-qaid-nopass.pem openssl c_客户端-connect xx.xx.xx.xxx:11211-cert api-qaid-nopass.pem带有双向SSL到weblogic的nginx反向代理,ssl,nginx,reverse-proxy,weblogic11g,Ssl,Nginx,Reverse Proxy,Weblogic11g,我正在尝试使用nginx作为双向SSL/mutualssl的web逻辑的反向代理 客户端NGINX WebLogic服务器 客户端到NGINX双向SSL工作正常,但在上游连接到web逻辑时出现以下错误 nginx调试日志: 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1 2014/08/16 2
任何帮助都将不胜感激。代理\u ssl\u受信任\u证书用于验证上游服务器的证书,而不是指定连接到上游服务器时应使用的客户端证书。据我所知,目前有办法使ngnix在上游连接中使用客户端证书。e增加了对使用证书和密钥的双向/相互身份验证的支持 请参阅拉动请求:
它已针对配置为双向SSL的WebLogic 11g服务器进行了验证。我正在使用从jks文件中提取的服务器证书,如下所示,该证书不起作用。/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home/bin/keytool-export-alias api cert-storepass xxx-file server.cer-keystore api-cert.jks我还尝试了以下命令来提取证书:keytool-export-file/tmp/trustedcafile.der-keystore api-cert.jks-alias api cert;openssl x509-inform-der-outform PEM-text-in/tmp/trustedcafile.der-out/tmp/api-cert.pemWith
openssl s_client