我们有一个不能识别客户端证书的应用程序,并且必须使用客户端证书validation的Web服务。 为了解决这个问题,我们试图使用Nginx来反向代理一个本地(http)url,我们的应用程序将会把它打到远程的HTTPS和客户端证书authentication的服务上。 configuration如下:
location /secure/api/ { proxy_pass https://secure.webservice.com/secure/api/; proxy_ssl_certificate /etc/ssl/api-client.crt; proxy_ssl_certificate_key /etc/ssl/api-client.crt.key; proxy_ssl_verify off; } 当试图连接到反向代理url( http://our.proxy.com/secure/api/ )时,它只是坐在那里并旋转。 如果我们使用wget或openssltesting代理的连接,我们可以成功连接。
这里是一个来自nginx / error.log的snippit:
2015/08/25 15:33:56 [info] 29810#0: *57 client closed connection while waiting for request, client: xxxx, server: 0.0.0.0:80 2015/08/25 15:34:05 [info] 29810#0: *53 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while reading response header from upstream, client: xxxx, server: our.proxy.com, request: "GET /secure/api/ HTTP/1.1", upstream: "https://yyyy:443/secure/api/", host: "our.proxy.com"
“客户端closures连接”线是有关的,我不确定连接的哪一侧正在closures连接; 客户端 – >代理或代理 – >上游。
另外,值得注意的是tcpdump确实显示nginx正在启动一个连接到secure.webservice.com超过443的连接。
我觉得解决这个问题的第一步是破译连接的哪一边正在closures,为什么……思考?
提前致谢。
注:xxxx是本地(私人)ip,yyyy是互联网(公共)ip。
这里和这里有一些关于这个configuration的文章。 我们还使用Nginx的客户端SSL证书,并使用http / httpsredirect进行以下工作configuration:
#config for upstream app servers (not aware of SSL) upstream appcluster { server XXX1:8000; server XXX2:8000; } # http-to-https redirect server { listen 80; server_name localhost; return 301 https://$server_name$request_uri; } # resolves SSL & client SSL here server { listen 443; server_name localhost; ssl on; ssl_certificate <path to cert.pem>; ssl_certificate_key <path to cert.key>; ssl_client_certificate <path to CA authority to resolve client ssl - this is ca.crt>; ssl_verify_client on; ... # after ssl resolution forward to upstream cluster location /restService { ... proxy_pass http://appcluster/restService; } }