问题
I have a rails 4 project with some API.
This project runs with nginx v.1.6.3 and https on production.
Nginx configurations:
upstream app {
# Path to Unicorn SOCK file, as defined previously
server unix:/tmp/unicorn.my_domain.sock fail_timeout=0;
}
server {
listen 80;
server_name my_domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/private.rsa;
server_name my_domain.com;
root /var/www/current;
location /assets {
root /var/www/current/public;
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @app;
location @app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
Problem
API requests (POST /api/some_path/create etc.) should be protected with two-way SSL.
Only one service will use this API (only 1 client with one certificate)
Question
- Does nginx able to handle
two-way SSL? two-way SSLshould be implemented onnginxlayer, not in web-application logic. am I right?- How to set up
nginxto catch clients which sends requests to/api/...url and authenticate them withtwo-way SSL?
I just need a basic example, to understand how it should work.
回答1:
- Yes (see the ssl_client_certificate and ssl_verify_client directives).
- Depends on your application, but in this case where you only need to verify that the certificate was signed by a certain CA, that's correct.
You would need to create a CA and a client certificate signed by said CA and use that CA for verifying the client certificate on the server side.
Now, what you need to consider is how you will solve the problem that the ssl_client_certificate and ssl_verify_client directives doesn't support being used in a location block (e.g. they can only be used in a http or server block).
I would suggest creating an own subdomain for the API (e.g. api.my_domain.com) and access the API from the service with that address.
Example configuration:
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/private.rsa;
ssl_client_certificate /etc/nginx/ssl/client_ca.pem;
ssl_verify_client on;
server_name api.my_domain.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app/api;
}
}
来源:https://stackoverflow.com/questions/35574958/how-to-set-up-two-way-ssl-in-nginx-for-custom-location