nginx 认证多个客户端的问题
2019獨角獸企業重金招聘Python工程師標準>>>
https://stackoverflow.com/questions/48937334/nginx-client-authentication-with-multiple-client-certificates
具體參考這個文章
I am trying to set up a NGINX to perform client authentication against multiple clients. The problem I have is that those clients will have different certificates, basically different Root CAs:
[clientA.crt] ClientA > IntermediateA > RootA [clientB.crt] ClientB > IntermediateB1 > IntermediateB2 > RootBanswer:
The?http://nginx.org/r/ssl_client_certificate?directive is used to specify which certificates you trust for client-based authentication. Note that the whole list is basically sent every time a connection is attempted (use?ssl_trusted_certificate?as per the docs if that's not desired).
As per above, note that?ssl_verify_depth?basically controls how easy would it be to get into your system — if you set it at a high-enough value, and someone is able to obtain a certificate with one of the CAs that you trust, or through one of their intermediaries which they trust to generate their own certificates, then they'd be able to authenticate with your nginx, whether or not that's your desire.
As such, it'd normally be the practice that all certificates that are used for client-based authentication are generated by a privately sanctioned CA, hence, normally, there shouldn't be much of a length to the chain. If you want to equalise the depth number between the two CAs, to get the best protection from?ssl_verify_depth, then it's conceivable to create an extra CA to add to the depth, then that CA to the trusted list instead of what's now an actual intermediary. (Note that it gets complicated once you involve a few intermediaries, the browser would need to know of their existence, which is usually cached, and can result in a number of ghost issues when non-cached.)
Also, note that you don't actually have to have a single CA in the specified file — it can include multiple unrelated "root" CAs, so, if you want to add multiple independent CAs, you don't actually have to bother creating another CA to certify them — you can just include such independent CAs as-is.
轉載于:https://my.oschina.net/u/228832/blog/3032189
總結
以上是生活随笔為你收集整理的nginx 认证多个客户端的问题的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Zabbix 4.2 发布:支持Prom
- 下一篇: 微软Skype突破!视讯人数上限来到50