客户端证书提示不显示nginx

时间:2014-07-28 11:16:02

标签: ssl nginx

我有一个ca证书包试图在浏览器级别的nginx上集成客户端证书身份验证我无法获得要求为ssl身份验证发送证书的提示。我不确定在这里错过了什么,在这方面的任何帮助都将受到高度赞赏。

以下是nginx的配置

    #
    # HTTPS server configuration
    #

    server {
        listen          10.0.111.118:8443;
        ssl         on;
            server_name     reverseproxy.in;

        ### SSL cert files ###
            ssl_certificate      conf.d/MonetServer.cer;
            ssl_certificate_key  conf.d/MonetServer.key;
            ssl_client_certificate      conf.d/Bundle.crt;



        ssl_verify_client on;

        server_tokens off; 
        access_log      logs/ssl/esmarts-access.log;
        error_log       logs/ssl/esmarts-error.log;
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_set_header  X-Floof-SSL-Client-Serial $ssl_client_serial;
        proxy_set_header  X-Floof-SSL-Client-Verify $ssl_client_verify;






        ### We want full access to SSL via backend ###
            location / {
                proxy_pass  http://10.0.111.125:8080/esmart/index.html;

            ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

            ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;
            ### Most PHP, Python, Rails, Java App can use this header ###
            #proxy_set_header X-Forwarded-Proto https;##
            #This is better##
                proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;


            ### By default we don't want to redirect it ####
                proxy_redirect     off;
          }

          location /esmart/VAADIN
           {

         proxy_pass  http://10.0.111.125:8080/esmart/VAADIN;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;
                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }

          location /esmart/jsp
           {

         proxy_pass  http://10.0.111.125:8080/esmart/jsp;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;


                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }


          location /esmart/APP
           {

         proxy_pass  http://10.0.111.125:8080/esmart/APP;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;

                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }





      }

我一直收到错误

400错误请求

未发送所需的SSL证书

我的电脑上已经安装了客户端证书,问题是我假设浏览器没有请求客户端证书已经安装在客户端上。

2 个答案:

答案 0 :(得分:1)

刚刚在这里发布了一个答案:https://serverfault.com/a/764509/344286

确保您可以使用cURL进行身份验证,以验证您的nginx是否已正确设置。确认后,您可以专注于生成PKCS12配置文件并将其安装在浏览器中。

答案 1 :(得分:0)

使用Chromium时遇到了这个问题。看起来浏览器不会在非标准https端口(443除外)上请求客户端证书。调整配置以侦听端口443修复问题。