国产精品久久欧美久久一区,亚洲精品白浆高清久久久久久

亚洲国产日韩欧美一区二区三区,精品亚洲国产成人av在线,国产99视频精品免视看7,99国产精品久久久久久久成人热,欧美日韩亚洲国产综合乱

java - nginx+tomcat+雙向SSL認證，jsp文件一直不能獲取客戶端證書信息

ringa_lee 2017-04-18 10:33:21

1417

certs=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

這段永遠都是null不知道是哪里問題？nginx？還是tomcat？

網(wǎng)上搜索了不少信息，但是都沒有解決，有人直接用tomcat來當https服務器是可以解決，但是我真不想那么做

nginx用http和https打開tomcat的頁面都正確了，并且也彈出了證書選擇的對話框，但是服務端就是不能獲取客戶端的認證證書信息

這段是NGINX的配置文件的

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    


    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }



    upstream tomcat {
        server 192.168.2.114:8080 fail_timeout=0;
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;
    
        ssl_certificate      d:/ssl/server.crt;
        ssl_certificate_key  d:/ssl/server.key;
        ssl_client_certificate d:/ssl/ca.crt;

    ssl on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    ssl_verify_client on;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            # note, there is not SSL here! plain HTTP is used
              client_max_body_size    16m;
              client_body_buffer_size 128k;
              proxy_pass                          http://tomcat/;
              proxy_set_header        Host $host;
              proxy_set_header        X-Real-IP $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header           X-Forwarded-Proto https;
              proxy_next_upstream   off;

              proxy_connect_timeout   30;
              proxy_read_timeout      300;
              proxy_send_timeout      300;
        }
    }

}

這段是tomcat的

     <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" 
                   scheme="https"
                   proxyName="192.168.2.114"
                   proxyPort="443" />
                   
   <Valve className="org.apache.catalina.valves.RemoteIpValve"
                      remoteIpHeader="x-forwarded-for"
                      remoteIpProxiesHeader="x-forwarded-by"
                      protocolHeader="x-forwarded-proto"/>

ringa_lee

reply all(2)

迷茫2017-04-18 10:35:21 2 floor

I searched for certificate delivery and seemed to find this article. It has not been verified yet and may be able to solve this problem

Certificate hierarchy

Server structure

tomcat does not require client authentication, nginx requires client authentication

Points to note when configuring tomcat

The CN of tomcat’s server certificate must be tomcat_backend

nginx configuration notes

Use openssl to export pem format public key from pfx file

openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
Use openssl to export pem format private key from pfx file

openssl pkcs12 -nocerts -nodes -in cert.p12 -out private.pem
Use openssl to generate CA certificate chain

Export the public key certificates of the root CA and intermediate CA. For example, the file names after export are root.pem ca.pem

Merge root.pem ca.pem into one file, with ca.pem in front and root.pem in the back

cat ca.pem >> chain.pem
cat root.pem >> chain.pem
nginx server segment configuration

server {
    listen 443;
    server_name localhost;
    ssl on;
    ssl_certificate nginx服務器證書公鑰;
    ssl_certificate_key nginx服務器證書私鑰;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; # 如果使用默認值，在谷歌瀏覽器中會提示使用的加密套件過時
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ; # 如果使用默認值，在谷歌瀏覽器中會提示使用的加密套件過時
    ssl_prefer_server_ciphers on;
    ssl_verify_client on; # 開啟客戶端驗證
    ssl_verify_depth 2; # 這里一定要注意，服務器證書上面有幾級CA就寫幾
    ssl_client_certificate chain.pem; # 證書鏈 用于驗證客戶端提供的證書
    ssl_trusted_certificate 證書鏈;
    location / {
        proxy_pass https://tomcat_backend;
        include proxy.conf;
    ｝
}

Pass the client certificate to the backend tomcat through the http header. Configure in proxy.conf file

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Client-Cert $ssl_client_cert; # 將客戶端證書放到http頭中傳遞給后端的tomcat
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 30;
proxy_send_timeout 15;
proxy_read_timeout 15;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客戶端認證，則nginx與tomcat建立連接時會把該證書發(fā)送給tomcat
proxy_ssl_certificate_key localhost.key;
proxy_ssl_trusted_certificate chain.pem; # 如果啟用了proxy_ssl_verify，則使用該文件中的CA公鑰驗證后端tomcat的證書
proxy_ssl_verify on; # nginx是否驗證后端tomcat的證書
proxy_ssl_verify_depth 2;

For information on how to generate CA certificates, client certificates, and server certificates, please refer to "Implementing SSL Two-Way Authentication in JEE Projects"

Like +0

Add Reply

PHPzhong2017-04-18 10:35:21 1 floor

Implementing SSL two-way authentication in JEE project

Like +0

Add Reply