Fatal编程技术网
  • ssl/
  • 使用SSL将Nginx SSL代理发送到上游服务器

使用SSL将Nginx SSL代理发送到上游服务器

ssl

使用SSL将Nginx SSL代理发送到上游服务器,ssl,tls1.2,nginx-reverse-proxy,nginx-config,kestrel-http-server,Ssl,Tls1.2,Nginx Reverse Proxy,Nginx Config,Kestrel Http Server,我使用nginx作为kestrel web服务器的代理。nginx和kestrel都配置为相互TLS,因此客户端只能与服务器通信,除非随请求一起发送证书。我希望能够将nguni收到的ssl证书转发给kestrel,但似乎无法这样做。服务器块中使用的proxy\u ssl on指令错误,以及proxy\u ssl\u certificate serv.crt指令不是我需要的,因为这会将指定的证书发送给kestrel,而我想将传递给nginx的客户端证书发送给kestrel 下面是我的Nginx配置

我使用nginx作为kestrel web服务器的代理。nginx和kestrel都配置为相互TLS,因此客户端只能与服务器通信,除非随请求一起发送证书。我希望能够将nguni收到的ssl证书转发给kestrel,但似乎无法这样做。服务器块中使用的
proxy\u ssl on
指令错误,以及
proxy\u ssl\u certificate serv.crt
指令不是我需要的,因为这会将指定的证书发送给kestrel,而我想将传递给nginx的客户端证书发送给kestrel

下面是我的Nginx配置的一个片段

upstream prod {
      server 127.0.0.1:443;
    }

    server {
      listen 4430 ssl http2;
      ssl on;
      ssl_certificate /etc/ssl/certs/serv.crt;
      ssl_certificate_key  /etc/ssl/certs/serv.key;
      ssl_password_file    /etc/nginx/certs/ssl_passwords.txt;
      ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
      ssl_crl /etc/ssl/ca/private/ca.crl;
      ssl_verify_client optional_no_ca;
      ssl_session_timeout 5m;
      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDH$
      keepalive_timeout 10;
      server_name my-api;
      try_files $uri @prod;



      location / {
        add_header Access-Control-Allow-Origin *;
        #proxy_ssl_session_reuse on;
        proxy_ssl_trusted_certificate /etc/ssl/certs/serv.crt;
        #proxy_ssl_certificate /etc/ssl/certs/serv.crt;
        #proxy_ssl_certificate_key /etc/ssl/certs/serv.key;
        proxy_ssl_password_file    /etc/nginx/certs/ssl_passwords.txt;
        proxy_ssl_verify       off;
        proxy_ssl_verify_depth 2;


        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_redirect off;
        proxy_pass https://prod;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
      }
如蒙协助,将不胜感激

谢谢