以下是我的Nginx配置
server {
listen 80;
server_name acme.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name acme.com;
#Server side certificates should be trusted certs.
ssl_certificate acme.com.crt;
ssl_certificate_key acme.com.key;
#Client browser certificate identification can be trusted certs.
ssl_client_certificate /etc/ssl/acme/certs/ca.crt;
ssl_crl /etc/ssl/acme/private/ca.crl;
ssl_verify_client optional;
ssl_verify_depth 5;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL:!eNull:!EXPORT:!RC4:!DES:!SSLv2:!MD5!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/html;
index index.php index.html index.htm;
auth_basic "Restricted Area";
auth_basic_user_file .htpasswd;
location / {
try_files $uri $uri/ /index.php?$args;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
try_files $uri $uri/ /index.php?$args;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_keep_conn on;
fastcgi_param DN $ssl_client_s_dn;
fastcgi_param DNi $ssl_client_i_dn;
fastcgi_param CERT_SERIALNO $ssl_client_serial;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location /api/2/apps/corp.acme.exampleapp {
if ($ssl_client_verify != SUCCESS) {
return 200;
}
try_files $uri $uri/ /index.php?$args;
}
location /api/2/apps/corp.acme.anotherapp {
if ($ssl_client_verify != SUCCESS) {
return 200;
}
try_files $uri $uri/ /index.php?$args;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
}
这一切都是梨形的。我不得不强制返回200,因为设备上的下载客户端无法传递证书,因此忽略此位。
/api/2/apps/corp.acme.exampleapp?format=plist HTTP/1.1" 200 0 "-" "itunesstored/1.0 iOS/8.3 model/iPhone7,1 build/12F70 (6; dt:107)"
==> /var/log/nginx/error.log <==
2015/05/05 13:01:05 [debug] 1561#0: *195 free: 0000000001262750, unused: 24
2015/05/05 13:01:05 [debug] 1561#0: *195 free: 0000000001231120, unused: 2780
2015/05/05 13:01:05 [debug] 1561#0: *195 free: 000000000123A000
2015/05/05 13:01:05 [debug] 1561#0: *195 hc free: 0000000000000000 0
2015/05/05 13:01:05 [debug] 1561#0: *195 hc busy: 0000000000000000 0
2015/05/05 13:01:05 [debug] 1561#0: *195 free: 0000000001244D30
2015/05/05 13:01:05 [debug] 1561#0: *195 tcp_nodelay
2015/05/05 13:01:05 [debug] 1561#0: *195 reusable connection: 1
2015/05/05 13:01:05 [debug] 1561#0: *195 event timer add: 6: 65000:1430830930999
2015/05/05 13:01:07 [debug] 1561#0: *195 post event 000000000127B890
2015/05/05 13:01:07 [debug] 1561#0: *195 delete posted event 000000000127B890
2015/05/05 13:01:07 [debug] 1561#0: *195 http keepalive handler
2015/05/05 13:01:07 [debug] 1561#0: *195 malloc: 000000000123A000:1024
2015/05/05 13:01:07 [debug] 1561#0: *195 SSL_read: 0
2015/05/05 13:01:07 [debug] 1561#0: *195 SSL_get_error: 5
2015/05/05 13:01:07 [debug] 1561#0: *195 peer shutdown SSL cleanly
2015/05/05 13:01:07 [info] 1561#0: *195 client 192.168.1.55 closed keepalive connection
2015/05/05 13:01:07 [debug] 1561#0: *195 close http connection: 6
2015/05/05 13:01:07 [debug] 1561#0: *195 SSL_shutdown: 1
2015/05/05 13:01:07 [debug] 1561#0: *195 event timer del: 6: 1430830930999
2015/05/05 13:01:07 [debug] 1561#0: *195 reusable connection: 0
2015/05/05 13:01:07 [debug] 1561#0: *195 free: 000000000123A000
2015/05/05 13:01:07 [debug] 1561#0: *195 free: 0000000000000000
2015/05/05 13:01:07 [debug] 1561#0: *195 free: 000000000122F8C0, unused: 0
2015/05/05 13:01:07 [debug] 1561#0: *195 free: 000000000122BFD0, unused: 32
2015/05/05 13:01:07 [debug] 1561#0: *195 free: 0000000001262140, unused: 144
答案 0 :(得分:0)
此问题归结为Apple如何加载plists的问题。
它不会读取自签名证书,因为它们不在其钥匙串中,它会失败。