nginx ssl 双向认证

jackyrar

Nginx的浏览器/服务器双向SSL证书认证配置

文章分类:操作系统   
最近的项目中需要安全性控制，而我又懒得改动后台的程序代码，故而想在反向代理层加入SSL证书验证。　　

　　一直在用Nginx做反向代理，但是其SSL的配置只用过普通的服务端单向证书。在Google，百度狂搜一通之后，一无所获，依旧是那老三样，只有单向认证的示例。浏览器端双向认证的配置好像从没人写过。

　　

　　无奈之下，只好从OpenSSL的客户端证书开始学起，一点一点啃，大段大段的E文让我这半瓶子醋看的头晕眼晕。最后在

　　http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

　　的提示下终于把这个证书搞定，来秀一个。

　　

　　这需要一下几个步骤：

　　1) 安装openssl用来做证书认证

　　2) 创建一个CA根证书

　　3) 创建一个自签名的服务器证书

　　4) 设置Nginx

　　5) 创建客户端证书

　　6) 安装客户端证书到浏览器

　　7) Profit.

　　

　　1)

　　这一步我是在ubuntu下直接apt-get装的openssl, 配置文件安装在/etc/ssl/openssl.cnf

　　修改openssl.cnf的以下几段

　　[ ca ]

　　default_ca = foo

　　

　　Openssl将会寻找名称为foo的配置段

　　

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• [ foo ]
  
• dir = /etc/ssl/private
  
• database = $dir/index.txt
  
• serial = $dir/serial
  
• private_key = $dir/ca.key
  
• certificate = $dir/ca.crt
  
• default_days = 3650
  
• default_md = md5
  
• new_certs_dir = $dir
  
• policy = policy_match
  

[ foo ]　　
dir = /etc/ssl/private
　　
database = $dir/index.txt
　　
serial = $dir/serial
　　
private_key = $dir/ca.key
　　
certificate = $dir/ca.crt
　　
default_days = 3650
　　
default_md = md5
　　
new_certs_dir = $dir
　　
policy = policy_match
　　

　　

　　policy_match 我保持默认值没有改

　　

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• [ policy_match ]
  
• countryName = match
  
• stateOrProvinceName = match
  
• organizationName = match
  
• organizationalUnitName = match
  
• commonName = supplied
  
• emailAddress = optional
  

[ policy_match ]　　
countryName = match
　　
stateOrProvinceName = match
　　
organizationName = match
　　
organizationalUnitName = match
　　
commonName = supplied
　　
emailAddress = optional
　　

　　

　　默认签发有效期为10年，你可以自己设置一个合适的值

　　

　　2)

　　创建一个新的CA根证书

　　下面的几个脚本我都放在/etc/ssl目录下

　　

　　new_ca.sh:

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• #!/bin/sh
  
• # Generate the key.
  
• openssl genrsa -out private/ca.key
  
• # Generate a certificate request.
  
• openssl req -new -key private/ca.key -out private/ca.csr
  
• # Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
  
• # I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
  
• # service will never see the light of an unencrypted Internet see the cheap and lazy remark.
  
• # So self sign our root key.
  
• openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
  
• # Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
  
• echo FACE > private/serial
  
• # Create the CA's key database.
  
• touch private/index.txt
  
• # Create a Certificate Revocation list for removing 'user certificates.'
  
• openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
  

#!/bin/sh　　
# Generate the key.
　　
openssl genrsa -out private/ca.key
　　
# Generate a certificate request.
　　
openssl req -new -key private/ca.key -out private/ca.csr
　　
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
　　
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
　　
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
　　
# So self sign our root key.
　　
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
　　
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.

　　
echo>　　
# Create the CA's key database.
　　
touch private/index.txt
　　
# Create a Certificate Revocation list for removing 'user certificates.'
　　
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
　　

　　

　　执行 sh new_ca.sh 生成新的CA证书

　　

　　3)

　　生成服务器证书的脚本

　　

　　new_server.sh:

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• # Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
  
• openssl genrsa -out private/server.key
  
• # Take our key and create a Certificate Signing Request for it.
  
• openssl req -new -key private/server.key -out private/server.csr
  
• # Sign this bastard key with our bastard CA key.
  
• openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt
  

# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.　　
openssl genrsa -out private/server.key
　　
# Take our key and create a Certificate Signing Request for it.
　　
openssl req -new -key private/server.key -out private/server.csr
　　
# Sign this bastard key with our bastard CA key.
　　
openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt
　　

　　

　　执行 sh new_server.sh 生成新服务器的证书

　　

　　4)

　　最要命的一步，尝试多次后终于搞明白。

　　配置 nginx 的ssl支持

　　

　　我的配置如下:

　　

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• # HTTPS server
  
• #
  
• server {
  
• listen   443;
  
• server_name  localhost;
  

# HTTPS server　　
#
　　
server {
　　
listen   443;
　　
server_name  localhost;
　　

　　

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• # 打开ssl
  
• ssl  on;
  
• # 上一步生成的服务器证书
  
• ssl_certificate  /etc/ssl/private/server.crt;
  
• # 服务器证书公钥
  
• ssl_certificate_key  /etc/ssl/private/server.key;
  
• # 客户端证书签名 也就是第二步生成的CA签名证书
  
• ssl_client_certificate   /etc/ssl/private/ca.crt;
  
• # ssl session 超时
  
• ssl_session_timeout  5m;
  
• # 打开SSL客户端校验 (双向证书检测)
  
• ssl_verify_client on;
  
• 
  
• #ssl_protocols  SSLv2 SSLv3 TLSv1;
  
• #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  
• ssl_prefer_server_ciphers   on;
  
• 
  
• location / {
  
• root   /var/www/nginx-default;
  
• index  index.html index.htm;
  
• }
  

# 打开ssl　　
ssl  on;
　　
# 上一步生成的服务器证书
　　
ssl_certificate  /etc/ssl/private/server.crt;
　　
# 服务器证书公钥
　　
ssl_certificate_key  /etc/ssl/private/server.key;
　　
# 客户端证书签名 也就是第二步生成的CA签名证书
　　
ssl_client_certificate   /etc/ssl/private/ca.crt;
　　
# ssl session 超时
　　
ssl_session_timeout  5m;
　　
# 打开SSL客户端校验 (双向证书检测)
　　
ssl_verify_client on;
　　
#ssl_protocols  SSLv2 SSLv3 TLSv1;
　　
#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
　　
ssl_prefer_server_ciphers   on;
　　
location / {
　　
root   /var/www/nginx-default;
　　
index  index.html index.htm;
　　
}
　　

　　

　　启动你的nginx ,等待客户连接

　　

　　5)

　　现在来生成客户端证书

　　

　　new_user.sh:

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• #!/bin/sh
  
• # The base of where our SSL stuff lives.
  
• base="/etc/ssl/private"
  
• # Were we would like to store keys... in this case we take the username given to us and store everything there.
  
• mkdir -p $base/users/$1/
  
• 
  
• # Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
  
• openssl genrsa -des3 -out $base/users/$1/$1.key 1024
  
• # Create a Certificate Signing Request for said key.
  
• openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
  
• # Sign the key with our CA's key and cert and create the user's certificate out of it.
  
• openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
  
• 
  
• # This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
  
• # The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
  
• # Take the same precaution with the export password that would take with any other password based authentication scheme.
  
• openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
  

#!/bin/sh　　
# The base of where our SSL stuff lives.
　　
base="/etc/ssl/private"
　　
# Were we would like to store keys... in this case we take the username given to us and store everything there.
　　
mkdir -p $base/users/$1/
　　
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
　　
openssl genrsa -des3 -out $base/users/$1/$1.key 1024
　　
# Create a Certificate Signing Request for said key.
　　
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
　　
# Sign the key with our CA's key and cert and create the user's certificate out of it.
　　
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
　　
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
　　
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
　　
# Take the same precaution with the export password that would take with any other password based authentication scheme.
　　
openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
　　

　　

　　执行 sh new_user.sh yourname 来生成一个 yourname 的client证书

　　按照提示一步一步来，这里要注意的是客户证书的几个项目要和根证书匹配

　　也就是第一步时配置的:

Java代码  http://hlee.iteye.com/images/icon_star.pnghttp://hlee.iteye.com/images/spinner.gif

• countryName = match
  
• stateOrProvinceName = match
  
• organizationName = match
  
• organizationalUnitName = match
  

countryName = match　　
stateOrProvinceName = match
　　
organizationName = match
　　
organizationalUnitName = match
　　

　　

　　不一致的话无法生成最后的客户证书

　　

　　6)

　　发送上一步生成的 yourname.p12 到客户端。

　　IE下双击安装就可以导入。

　　FireFox安装 :

　　Go into preferences.

　　Advanced.

　　View Certificates.

　　Import.

　　Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access).

　　Enter in the export password given to you by the dude who created your cert.

　　Hit OK like a mad man.

　　

　　打开网站会弹出对话框来要求你选择使用哪个证书，选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误