Nginx

ssl_verify_client 用於除某些路徑之外的所有路徑

  • December 27, 2016

我有一個在子域上執行的伺服器,配置如下:

server {
 listen 80 default_server;
 listen [::]:80 default_server;

 server_name x.example.com;

 return 301 https://$server_name$request_uri;
}

server {
 listen 443 ssl;
 listen [::]:443 ssl;

 <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>

 ssl_client_certificate /etc/ssl/certs/root-ca.crt;
 ssl_verify_client on;
 ssl_verify_depth 2;

 root /var/www/html;
 index index.html index.htm;

 location / {
   try_files $uri $uri/ =404;
 }
}

目前,我使用自己的根 CA 進行客戶端驗證和伺服器的主證書。我想過渡到使用 Let’s Encrypt 證書,但這會帶來問題,因為 Let’s Encrypt 驗證過程需要訪問x.example.com/.well-known並且沒有匹配的客戶端證書。

我已經嘗試像這樣添加第二個伺服器塊,如此處推薦,但我無法讓它工作:

server {
 listen 443 ssl;
 listen [::]:443 ssl;

 server_name x.example.com;

 <same Mozilla configuration--I've got it stored as a snippet>

 ssl_verify_client off;

 root /var/www/html;
 index index.html index.htm;

 location /.well-known {
   try_files $uri $uri/ =404;
 }
}

什麼是合適的方法來做到這一點?

Let’s Encrypt 不會在 HTTPS 上尋找挑戰,因此您可以簡單地設置如下內容:

server {
   listen 80 default_server;
   listen [::]:80 default_server;

   server_name x.example.com;

   location /.well-known {
       try_files $uri $uri/ =404;
   }

   location / {
       return 301 https://$server_name$request_uri;
   }
}

server {
   listen 443 ssl;
   listen [::]:443 ssl;

   <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>

   ssl_client_certificate /etc/ssl/certs/root-ca.crt;
   ssl_verify_client on;
   ssl_verify_depth 2;

   root /var/www/html;
   index index.html index.htm;

   location / {
       try_files $uri $uri/ =404;
   }
}

引用自:https://serverfault.com/questions/822806