Ubuntu

NGINX SSL 反向代理驗證上游 SSL

  • August 18, 2020

我將 NGINX 設置為反向代理,以僅使用一個 IP 地址託管多個網站。我在代理上有一個 Lets Encrypt 證書,在上游伺服器上有一個不同的 Lets Encrypt 證書。基本上,我需要 NGINX 將流量轉發到上游伺服器並驗證上游伺服器是否具有有效的 TLS 證書。如果我禁用proxy_ssl_verify,它將起作用。如果我訪問https://app.local.example.com我的內部網路,該應用程序執行良好。

網路圖:

https://app.example.com --> NGINX Reverse Proxy --> https://app.local.example.com (Local IP Address)

NGINX 反向代理配置文件:

server {
   listen 80;
   rewrite ^ https://$host$request_uri? permanent;
}

server {
       server_name app.example.com;

       listen                                  443 ssl;

       ssl_certificate                         /etc/letsencrypt/live/app.example.com/cert.pem;
       ssl_certificate_key                     /etc/letsencrypt/live/app.example.com/privkey.pem;
       ssl_trusted_certificate                 /etc/letsencrypt/live/app.example.com/chain.pem;

       location / {

               proxy_redirect off;
               proxy_set_header Host $http_host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Ssl on;
               proxy_set_header X-Forwarded-Protocol $scheme;
               proxy_set_header X-Forwarded-HTTPS on;

               proxy_ssl_session_reuse        off;
               proxy_ssl_name                 app.local.example.com

               proxy_ssl_verify               on;
               proxy_ssl_verify_depth         2; # I've tried 1,2,3,4
               proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; 
                           
               proxy_pass                     https://app.local.example.com
       }
}

這是我收到的錯誤消息。

[error] 1087#1087: *2 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: [Client IP], server: app.example.com, request: "GET / HTTP/1.1", upstream: "https://192.168.1.5:443/", host: "app.local.example.com", referrer: "https://app.example.com/">

OpenSSL 版本:OpenSSL 1.1.1f 31 Mar 2020

nginx -v:nginx version: nginx/1.18.0 (Ubuntu)

貓 /etc/問題:Ubuntu 20.04.1 LTS \n \l

的輸出openssl s_client -connect app.local.example.com:443

CONNECTED(00000003)
depth=0 CN = app.local.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = app.local.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = app.local.example.com
  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFeDCCBGCgAwIBAgISA8NkbZ6wz2EnKcedXujKT9AmMA0GCSqGSIb3DQEBCwUA
...
-----END CERTIFICATE-----
...
SSL-Session:
   Protocol  : TLSv1.3
   ...
   Verify return code: 21 (unable to verify the first certificate)

我將上游伺服器上的ssl_certificate值從cert.pem更改為。fullchain.pem

ssl_certificate         /etc/letsencrypt/live/app.example.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/app.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/app.example.com/chain.pem;

這是我使用的 NGINX 配置文件的連結

Certificate chain
0 s:CN = app.local.example.com
  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

您的伺服器未正確配置。它不發送葉證書 (app.local.example.com) 和中間證書,而是僅發送葉證書。由於缺少中間證書,無法創建到本地信任錨的信任路徑,這意味著證書驗證失敗並顯示*“無法獲取本地頒發者證書”*。瀏覽器通常通過從其他地方獲取失去的中間證書來解決此類問題,但其他 TLS 堆棧通常不會執行此類解決方法。

正確配置伺服器後,您應該會在openssl s_client. 完成此操作後,nginx 也應該可以工作。

Certificate chain
0 s:CN = app.local.example.com
  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
  i:O = Digital Signature Trust Co., CN = DST Root CA X3

引用自:https://serverfault.com/questions/1030490