certs=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
这段永远都是null不知道是哪里问题?nginx?还是tomcat?
网上搜索了不少信息,但是都没有解决,有人直接用tomcat来当https服务器是可以解决,但是我真不想那么做
nginx用http和https打开tomcat的页面都正确了,并且也弹出了证书选择的对话框,但是服务端就是不能获取客户端的认证证书信息
这段是NGINX的配置文件的
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
}
upstream tomcat {
server 192.168.2.114:8080 fail_timeout=0;
}
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
ssl_certificate d:/ssl/server.crt;
ssl_certificate_key d:/ssl/server.key;
ssl_client_certificate d:/ssl/ca.crt;
ssl on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# note, there is not SSL here! plain HTTP is used
client_max_body_size 16m;
client_body_buffer_size 128k;
proxy_pass http://tomcat/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_next_upstream off;
proxy_connect_timeout 30;
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
}
这段是tomcat的
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
proxyName="192.168.2.114"
proxyPort="443" />
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/>
迷茫2017-04-18 10:35:21
自己搜尋了下證書傳遞,似乎找到這麼一篇,還沒經過驗證,可能可以解決這個問題
證書層級結構
伺服器結構
tomcat不要求認證客戶端,nginx要求認證客戶端
tomcat配置注意點
tomcat的伺服器憑證的CN必須為tomcat_backend
nginx配置注意點
使用openssl從pfx檔案匯出pem格式公鑰
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
使用openssl從pfx檔案匯出pem格式私鑰
openssl pkcs12 -nocerts -nodes -in cert.p12 -out private.pem
使用openssl產生CA憑證鏈
將根CA和中級CA的公鑰憑證匯出,如匯出後檔案名稱分別為root.pem ca.pem
將root.pem ca.pem合併成一個文件,ca.pem在前,root.pem在後
cat ca.pem >> chain.pem
cat root.pem >> chain.pem
nginx server段配置
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate nginx服务器证书公钥;
ssl_certificate_key nginx服务器证书私钥;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; # 如果使用默认值,在谷歌浏览器中会提示使用的加密套件过时
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ; # 如果使用默认值,在谷歌浏览器中会提示使用的加密套件过时
ssl_prefer_server_ciphers on;
ssl_verify_client on; # 开启客户端验证
ssl_verify_depth 2; # 这里一定要注意,服务器证书上面有几级CA就写几
ssl_client_certificate chain.pem; # 证书链 用于验证客户端提供的证书
ssl_trusted_certificate 证书链;
location / {
proxy_pass https://tomcat_backend;
include proxy.conf;
}
}
將客戶端憑證透過http頭傳遞給後端的tomcat。在proxy.conf檔中配置
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 30;
proxy_send_timeout 15;
proxy_read_timeout 15;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客户端认证,则nginx与tomcat建立连接时会把该证书发送给tomcat
proxy_ssl_certificate_key localhost.key;
proxy_ssl_trusted_certificate chain.pem; # 如果启用了proxy_ssl_verify,则使用该文件中的CA公钥验证后端tomcat的证书
proxy_ssl_verify on; # nginx是否验证后端tomcat的证书
proxy_ssl_verify_depth 2;
關於如果產生CA證書、客戶端證書、伺服器證書,請參閱 《在JEE專案中實施SSL雙向認證》
