亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

nginx與ingress配置HTTPS雙向認證

發布時間:2020-08-12 10:15:17 來源:網絡 閱讀:1160 作者:super李導 欄目:系統運維

?使用nginx進行雙向認證,可以實現吊銷客戶端證書。

?在k8s中用ingress配置tls可以實現客戶端認證,但吊銷功能是不正常的,反復測試未能實現(k8s1.14.8版本)


1 nginx實現Https雙向認證


????雙向認證可自主實現,與機構簽發的服務器server證書無關,即只需要自己創建ca和client證書即可。

????如果沒有機構簽發的證書,也可以用自建的ca簽發自己本地的server證書,然后再簽發client,實現本地環境的雙向認證,常用于測試中。


1.1 準備nginx環境

??安裝nginx
??yum?-y?install?gcc?gcc-c++?make?libtool?zlib?zlib-devel?openssl?openssl-devel?pcre?pcre-devel
??rpm?-ivh?http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
??yum?install?nginx?-y?
??nginx?-v
??systemctl?start?nginx


1.2 配置nginx

????修改nginx配置文件,已規劃好證書路徑名稱等

????vi??/etc/nginx/conf.d/443.conf?

????其中ca.crl是吊銷文件,在執行吊銷后再啟用該配置

server?{
???????listen?443?ssl;
???????server_name?www.younihao.com;
?????
???????ssl_certificate???????????/etc/nginx/ca/server/server.crt;
???????ssl_certificate_key???????/etc/nginx/ca/server/server.key;
???????ssl_client_certificate????/etc/nginx/ca/private/ca.crt;
??????
???????ssl_session_timeout?5m;
???????ssl_verify_client?on;
???????
???????ssl_protocols?TLSv1?TLSv1.1?TLSv1.2;
???????ssl_ciphers?ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
???????ssl_prefer_server_ciphers?on;
#??????ssl_crl?/etc/nginx/ca/private/ca.crl;
?
???????charset?utf-8;
???????access_log?logs/host.access.log?main;
???????error_page?500?502?503?504?/50x.html;
???????location?=?/50x.html?{
???????????root?html;
???????}
?
???????location?=?/favicon.ico?{
???????????log_not_found?off;
???????????access_log?off;
???????????expires?90d;
???????}
???????location?/?{
????????root???/usr/share/nginx/html;
????????index??index.html?index.htm;
????}

????}


1.3 創建自簽CA,server,client證書

????1.3.1 創建證書目錄

cd?/etc/nginx/
mkdir?ca
cd?ca/
mkdir?newcerts?private?conf?server?users

? ? 1.3.2 創建openssl配置文件

vi?/etc/nginx/ca/conf/openssl.conf
[?ca?]
default_ca?=?myserver
?
[?myserver?]
dir?=?/etc/nginx/ca
database?=?/etc/nginx/ca/index.txt
new_certs_dir?=?/etc/nginx/ca/newcerts
certificate?=?/etc/nginx/ca/private/ca.crt
serial?=?/etc/nginx/ca/serial
private_key?=?/etc/nginx/ca/private/ca.key
RANDFILE?=?/etc/nginx/ca/private/.rand
?
default_days?=?3650
default_crl_days?=?3650
default_md?=?sha256
unique_subject?=?no
?
policy?=?policy_any
?
[?policy_any?]
countryName?=?match
stateOrProvinceName?=?match
organizationName?=?match
localityName?=?optional
commonName?=?supplied
emailAddress?=?optional

????1.3.3 生成ca,server,client證書

?生成ca
?openssl?genrsa?-out?/etc/nginx/ca/private/ca.key?
?openssl?req?-new?-key?/etc/nginx/ca/private/ca.key?-out?private/ca.csr
?openssl?x509?-req?-days?3650?-in?/etc/nginx/ca/private/ca.csr?-signkey?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/private/ca.crt
?
?設置起始序列號
?echo?FACE?>?/etc/nginx/ca/serial
?創建CA鍵庫
?touch?/etc/nginx/ca/index.txt
?創建一個證書撤銷列表
?openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-crldays?3670?-config?"/etc/nginx/ca/conf/openssl.conf"
?
?生成自簽server證書
?openssl?genrsa?-out?/etc/nginx/ca/server/server.key?2048
?openssl?req?-new?-key?/etc/nginx/ca/server/server.key?-out?/etc/nginx/ca/server/server.csr
?openssl?ca?-in?/etc/nginx/ca/server/server.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/server/server.crt?-config?"/etc/nginx/ca/conf/openssl.conf"
?
?生成client證書
?openssl?genrsa?-out?/etc/nginx/ca/users/client.key?2048
?openssl?req?-new?-key?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.csr
?openssl?ca?-in?/etc/nginx/ca/users/client.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/users/client.crt?-config?"/etc/nginx/ca/conf/openssl.conf"
上面req在創建證書請求文件的時候,需要輸入一系列的參數可參看下圖
其中Common?Name項,server證書請求時需要填域名,ca與client不做要求;其他項保持一致。

nginx與ingress配置HTTPS雙向認證

nginx與ingress配置HTTPS雙向認證

nginx與ingress配置HTTPS雙向認證

????1.3.4 將客戶端證書轉換成PKCS12文件

????生成該文件時候需要設置一個密碼,瀏覽器添加該證書時候會用到。

openssl?pkcs12?-export?-clcerts?-in?/etc/nginx/ca/users/client.crt?-inkey?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.p12


1.4 驗證測試雙向認證

???1.4.1 修改好了nginx配置,證書路徑名稱都準確無誤

????????nginx -t? ?#檢查配置語法格式

????????nginx -s reload? ##加載新配置


????1.4.2 下載client.p12文件

????????sz /etc/nginx/ca/users/client.p12


????1.4.3 瀏覽器添加客戶端證書

????????????每個瀏覽器方法不一樣,自行百度p12證書文件導入,導入證書后重啟瀏覽器。

????????????瀏覽器訪問https://www.younihao.com?會跳出證書選擇頁面,選定myclient證書,就可以正常訪問啦

????????????沒有證書訪問會得到400?Bad Request(No required SSL certificate was?sent)錯誤


?1.5 吊銷客戶端證書

? ? 1.5.1 查看serial號

openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject

[root@loaclhost?]#?openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject
serial=FACF???##查到serial號是FACF
subject=?/C=cn/ST=henan/O=supercom/L=zhengzhou/CN=myclient

????1.5.2 創建crlnumber

echo?01?>?crlnumber	##第一次增加這個

????1.5.3 ssl增加吊銷配置

vi?/etc/nginx/ca/conf/openssl.conf??##增加下面配置
crlnumber=?/etc/nginx/ca/crlnumber

????1.5.4 執行吊銷client證書

openssl?ca?-revoke?/etc/nginx/ca/newcerts/FACF.pem?-config?"/etc/nginx/ca/conf/openssl.conf"

????1.5.5 重新乘車crl吊銷列表

openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-config?"/etc/nginx/ca/conf/openssl.conf"

查看吊銷是否成功
openssl?crl?-in?/etc/nginx/ca/private/ca.crl?-noout?-text

????1.5.6 調整nginx參數

vi?/etc/nginx/conf.d/443.conf?##增加啟用crl配置
ssl_crl?/etc/nginx/ca/private/ca.crl;
nginx?-t??#驗證重啟
nginx?-s?reload

????1.5.7 驗證吊銷結果

????登錄瀏覽器再次訪問,選擇對應證書,依舊被拒絕訪問即為成功。


1.6 nginx認證參考

https://blog.csdn.net/rexueqingchun/article/details/82251563
https://help.aliyun.com/document_detail/54508.html?spm=5176.2020520152.0.0.61bb16ddEk6YWC


2?ingress實現Https雙向認證(無吊銷功能)


?2.1這里是ingress示例

apiVersion:?extensions/v1beta1
kind:?Ingress
metadata:
??annotations:
????nginx.ingress.kubernetes.io/auth-tls-verify-client:?"on"
????nginx.ingress.kubernetes.io/auth-tls-secret:?"default/ca-secret"
????nginx.ingress.kubernetes.io/auth-tls-verify-depth:?"1"
????nginx.ingress.kubernetes.io/auth-tls-error-page:?"http://www.mysite.com/error-cert.html"
????nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:?"true"
??name:?nginx-test
??namespace:?default
spec:
??rules:
??-?host:?mydomain.com
????http:
??????paths:
??????-?backend:
??????????serviceName:?http-svc
??????????servicePort:?80
????????path:?/
??tls:
??-?hosts:
????-?mydomain.com
????secretName:?tls-secret

???

?2.2 創建tls-secret和ca-secret

tls-secret可以使用自建的,也可以使用機構簽發的服務器證書
kubectl?create?secret?generic?tls-secret?--from-file=tls.crt=server.crt?--from-file=tls.key=server.key

ca-secret到自己的ca目錄創建
cd?/etc/nginx/ca/private
kubectl?create?secret?generic?ca-secret?--from-file=ca.crt=ca.crt

然后創建ingress
kubectl?create?-f?ingress.yaml


?2.3 添加其他annotations

ingress?跨域問題?需要在ingress中添加配置下面annotations
???nginx.ingress.kubernetes.io/cors-allow-headers:?>-
??????DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
????nginx.ingress.kubernetes.io/cors-allow-methods:?'PUT,?GET,?POST,?OPTIONS'
????nginx.ingress.kubernetes.io/cors-allow-origin:?'*'
????nginx.ingress.kubernetes.io/enable-cors:?'true'
????
ingress??強制443?
????nginx.ingress.kubernetes.io/ssl-redirect:?'true'

ingress?白名單訪問
????nginx.ingress.kubernetes.io/whitelist-source-range:?'192.168.5.3'

???

?2.4 ingress 可參考

https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/
https://kubernetes.github.io/ingress-nginx/examples/PREREQUISITES/#client-certificate-authentication
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/




向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

台中县| 宜君县| 扶余县| 乐亭县| 开原市| 青铜峡市| 余庆县| 涟源市| 胶州市| 台中市| 周口市| 弥勒县| 怀仁县| 长乐市| 涟源市| 东兴市| 太保市| 阜平县| 怀安县| 长白| 绥芬河市| 营口市| 乌兰察布市| 普陀区| 滦南县| 喀什市| 鄂州市| 凉城县| 玉树县| 南川市| 丹阳市| 合山市| 辽阳县| 古丈县| 娱乐| 卫辉市| 基隆市| 枞阳县| 资中县| 平定县| 平阳县|