搜索

首页  >  问答  >  正文

java - nginx+tomcat+双向SSL认证,jsp文件一直不能获取客户端证书信息

certs=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

这段永远都是null不知道是哪里问题?nginx?还是tomcat?

网上搜索了不少信息,但是都没有解决,有人直接用tomcat来当https服务器是可以解决,但是我真不想那么做

nginx用http和https打开tomcat的页面都正确了,并且也弹出了证书选择的对话框,但是服务端就是不能获取客户端的认证证书信息

这段是NGINX的配置文件的

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    


    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }



    upstream tomcat {
        server 192.168.2.114:8080 fail_timeout=0;
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;
    
        ssl_certificate      d:/ssl/server.crt;
        ssl_certificate_key  d:/ssl/server.key;
        ssl_client_certificate d:/ssl/ca.crt;

    ssl on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    ssl_verify_client on;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            # note, there is not SSL here! plain HTTP is used
              client_max_body_size    16m;
              client_body_buffer_size 128k;
              proxy_pass                          http://tomcat/;
              proxy_set_header        Host $host;
              proxy_set_header        X-Real-IP $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header           X-Forwarded-Proto https;
              proxy_next_upstream   off;

              proxy_connect_timeout   30;
              proxy_read_timeout      300;
              proxy_send_timeout      300;
        }
    }

}

这段是tomcat的

     <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" 
                   scheme="https"
                   proxyName="192.168.2.114"
                   proxyPort="443" />
                   
   <Valve className="org.apache.catalina.valves.RemoteIpValve"
                      remoteIpHeader="x-forwarded-for"
                      remoteIpProxiesHeader="x-forwarded-by"
                      protocolHeader="x-forwarded-proto"/>
ringa_leeringa_lee2802 天前1229

全部回复(2)我来回复

  • 迷茫

    迷茫2017-04-18 10:35:21

    自己搜索了下证书传递,貌似找到这么一篇,还没经过验证,可能可以解决这个问题

    1. 证书层级结构

    1. 服务器结构

    tomcat不要求认证客户端,nginx要求认证客户端

    1. tomcat配置注意点

    tomcat的服务器证书的CN必须为tomcat_backend

    1. nginx配置注意点

    使用openssl从pfx文件中导出pem格式公钥

    openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
    使用openssl从pfx文件中导出pem格式私钥

    openssl pkcs12 -nocerts -nodes -in cert.p12 -out private.pem
    使用openssl生成CA证书链

    将根CA和中级CA的公钥证书导出,如导出后文件名分别为root.pem ca.pem

    将root.pem ca.pem合并成一个文件,ca.pem在前,root.pem在后

    cat ca.pem >> chain.pem
    cat root.pem >> chain.pem
    nginx server段配置

    server {
        listen 443;
        server_name localhost;
        ssl on;
        ssl_certificate nginx服务器证书公钥;
        ssl_certificate_key nginx服务器证书私钥;
        ssl_session_timeout 5m;
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; # 如果使用默认值,在谷歌浏览器中会提示使用的加密套件过时
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ; # 如果使用默认值,在谷歌浏览器中会提示使用的加密套件过时
        ssl_prefer_server_ciphers on;
        ssl_verify_client on; # 开启客户端验证
        ssl_verify_depth 2; # 这里一定要注意,服务器证书上面有几级CA就写几
        ssl_client_certificate chain.pem; # 证书链 用于验证客户端提供的证书
        ssl_trusted_certificate 证书链;
        location / {
            proxy_pass https://tomcat_backend;
            include proxy.conf;
        }
    }
    

    将客户端证书通过http头传递给后端的tomcat。在proxy.conf文件中配置

    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 30;
    proxy_send_timeout 15;
    proxy_read_timeout 15;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客户端认证,则nginx与tomcat建立连接时会把该证书发送给tomcat
    proxy_ssl_certificate_key localhost.key;
    proxy_ssl_trusted_certificate chain.pem; # 如果启用了proxy_ssl_verify,则使用该文件中的CA公钥验证后端tomcat的证书
    proxy_ssl_verify on; # nginx是否验证后端tomcat的证书
    proxy_ssl_verify_depth 2;
    

    关于如果生成CA证书、客户端证书、服务器证书,请参见 《在JEE项目中实施SSL双向认证》

    回复
    0
  • PHPz

    PHPz2017-04-18 10:35:21

    在JEE项目中实施SSL双向认证

    回复
    0
  • 取消回复