Nginx
ssl_verify_client 用於除某些路徑之外的所有路徑
我有一個在子域上執行的伺服器,配置如下:
server { listen 80 default_server; listen [::]:80 default_server; server_name x.example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern> ssl_client_certificate /etc/ssl/certs/root-ca.crt; ssl_verify_client on; ssl_verify_depth 2; root /var/www/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } }
目前,我使用自己的根 CA 進行客戶端驗證和伺服器的主證書。我想過渡到使用 Let’s Encrypt 證書,但這會帶來問題,因為 Let’s Encrypt 驗證過程需要訪問
x.example.com/.well-known
並且沒有匹配的客戶端證書。我已經嘗試像這樣添加第二個伺服器塊,如此處推薦的,但我無法讓它工作:
server { listen 443 ssl; listen [::]:443 ssl; server_name x.example.com; <same Mozilla configuration--I've got it stored as a snippet> ssl_verify_client off; root /var/www/html; index index.html index.htm; location /.well-known { try_files $uri $uri/ =404; } }
什麼是合適的方法來做到這一點?
Let’s Encrypt 不會在 HTTPS 上尋找挑戰,因此您可以簡單地設置如下內容:
server { listen 80 default_server; listen [::]:80 default_server; server_name x.example.com; location /.well-known { try_files $uri $uri/ =404; } location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl; listen [::]:443 ssl; <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern> ssl_client_certificate /etc/ssl/certs/root-ca.crt; ssl_verify_client on; ssl_verify_depth 2; root /var/www/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } }