https 双向认证
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost 127.0.0.1 192.168.1.2;
ssl_certificate /root/ssl/server.crt;
ssl_certificate_key /root/ssl/server.key;
ssl_client_certificate /root/ssl/root.crt;
ssl_verify_client on;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:8080/proj/;
proxy_connect_timeout 600;
proxy_read_timeout 600;
}
}
}
部分 location 单向认证
ssl_verify_client optional;if ($ssl_client_verify != SUCCESS) { return 400; }
完整配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost 127.0.0.1 192.168.1.2;
ssl_certificate /root/ssl/server.crt;
ssl_certificate_key /root/ssl/server.key;
ssl_client_certificate /root/ssl/root.crt;
ssl_verify_client optional;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location ^~ /web/ { # 单向
proxy_pass http://localhost:8080/proj/web/;
proxy_connect_timeout 600;
proxy_read_timeout 600;
}
location /api/ { # 双向
if ($ssl_client_verify != SUCCESS) {
return 400;
}
proxy_pass http://localhost:8080/proj/api/;
proxy_connect_timeout 600;
proxy_read_timeout 600;
}
}
}
网友评论