溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
?使用nginx進行雙向認證,可以實現吊銷客戶端證書。
?在k8s中用ingress配置tls可以實現客戶端認證,但吊銷功能是不正常的,反復測試未能實現(k8s1.14.8版本)
1 nginx實現Https雙向認證
????雙向認證可自主實現,與機構簽發的服務器server證書無關,即只需要自己創建ca和client證書即可。
????如果沒有機構簽發的證書,也可以用自建的ca簽發自己本地的server證書,然后再簽發client,實現本地環境的雙向認證,常用于測試中。
1.1 準備nginx環境
??安裝nginx ??yum?-y?install?gcc?gcc-c++?make?libtool?zlib?zlib-devel?openssl?openssl-devel?pcre?pcre-devel ??rpm?-ivh?http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm ??yum?install?nginx?-y? ??nginx?-v ??systemctl?start?nginx
1.2 配置nginx
????修改nginx配置文件,已規劃好證書路徑名稱等
????vi??/etc/nginx/conf.d/443.conf?
????其中ca.crl是吊銷文件,在執行吊銷后再啟用該配置
server?{
???????listen?443?ssl;
???????server_name?www.younihao.com;
?????
???????ssl_certificate???????????/etc/nginx/ca/server/server.crt;
???????ssl_certificate_key???????/etc/nginx/ca/server/server.key;
???????ssl_client_certificate????/etc/nginx/ca/private/ca.crt;
??????
???????ssl_session_timeout?5m;
???????ssl_verify_client?on;
???????
???????ssl_protocols?TLSv1?TLSv1.1?TLSv1.2;
???????ssl_ciphers?ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
???????ssl_prefer_server_ciphers?on;
#??????ssl_crl?/etc/nginx/ca/private/ca.crl;
?
???????charset?utf-8;
???????access_log?logs/host.access.log?main;
???????error_page?500?502?503?504?/50x.html;
???????location?=?/50x.html?{
???????????root?html;
???????}
?
???????location?=?/favicon.ico?{
???????????log_not_found?off;
???????????access_log?off;
???????????expires?90d;
???????}
???????location?/?{
????????root???/usr/share/nginx/html;
????????index??index.html?index.htm;
????}
????}1.3 創建自簽CA,server,client證書
????1.3.1 創建證書目錄
cd?/etc/nginx/ mkdir?ca cd?ca/ mkdir?newcerts?private?conf?server?users
? ? 1.3.2 創建openssl配置文件
vi?/etc/nginx/ca/conf/openssl.conf [?ca?] default_ca?=?myserver ? [?myserver?] dir?=?/etc/nginx/ca database?=?/etc/nginx/ca/index.txt new_certs_dir?=?/etc/nginx/ca/newcerts certificate?=?/etc/nginx/ca/private/ca.crt serial?=?/etc/nginx/ca/serial private_key?=?/etc/nginx/ca/private/ca.key RANDFILE?=?/etc/nginx/ca/private/.rand ? default_days?=?3650 default_crl_days?=?3650 default_md?=?sha256 unique_subject?=?no ? policy?=?policy_any ? [?policy_any?] countryName?=?match stateOrProvinceName?=?match organizationName?=?match localityName?=?optional commonName?=?supplied emailAddress?=?optional
????1.3.3 生成ca,server,client證書
?生成ca ?openssl?genrsa?-out?/etc/nginx/ca/private/ca.key? ?openssl?req?-new?-key?/etc/nginx/ca/private/ca.key?-out?private/ca.csr ?openssl?x509?-req?-days?3650?-in?/etc/nginx/ca/private/ca.csr?-signkey?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/private/ca.crt ? ?設置起始序列號 ?echo?FACE?>?/etc/nginx/ca/serial ?創建CA鍵庫 ?touch?/etc/nginx/ca/index.txt ?創建一個證書撤銷列表 ?openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-crldays?3670?-config?"/etc/nginx/ca/conf/openssl.conf" ? ?生成自簽server證書 ?openssl?genrsa?-out?/etc/nginx/ca/server/server.key?2048 ?openssl?req?-new?-key?/etc/nginx/ca/server/server.key?-out?/etc/nginx/ca/server/server.csr ?openssl?ca?-in?/etc/nginx/ca/server/server.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/server/server.crt?-config?"/etc/nginx/ca/conf/openssl.conf" ? ?生成client證書 ?openssl?genrsa?-out?/etc/nginx/ca/users/client.key?2048 ?openssl?req?-new?-key?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.csr ?openssl?ca?-in?/etc/nginx/ca/users/client.csr?-cert?/etc/nginx/ca/private/ca.crt?-keyfile?/etc/nginx/ca/private/ca.key?-out?/etc/nginx/ca/users/client.crt?-config?"/etc/nginx/ca/conf/openssl.conf"
上面req在創建證書請求文件的時候,需要輸入一系列的參數可參看下圖 其中Common?Name項,server證書請求時需要填域名,ca與client不做要求;其他項保持一致。
????1.3.4 將客戶端證書轉換成PKCS12文件
????生成該文件時候需要設置一個密碼,瀏覽器添加該證書時候會用到。
openssl?pkcs12?-export?-clcerts?-in?/etc/nginx/ca/users/client.crt?-inkey?/etc/nginx/ca/users/client.key?-out?/etc/nginx/ca/users/client.p12
1.4 驗證測試雙向認證
???1.4.1 修改好了nginx配置,證書路徑名稱都準確無誤
????????nginx -t? ?#檢查配置語法格式
????????nginx -s reload? ##加載新配置
????1.4.2 下載client.p12文件
????????sz /etc/nginx/ca/users/client.p12
????1.4.3 瀏覽器添加客戶端證書
????????????每個瀏覽器方法不一樣,自行百度p12證書文件導入,導入證書后重啟瀏覽器。
????????????瀏覽器訪問https://www.younihao.com?會跳出證書選擇頁面,選定myclient證書,就可以正常訪問啦
????????????沒有證書訪問會得到400?Bad Request(No required SSL certificate was?sent)錯誤
?1.5 吊銷客戶端證書
? ? 1.5.1 查看serial號
openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject [root@loaclhost?]#?openssl?x509?-in?/etc/nginx/ca/users/client.crt?-noout?-serial?-subject serial=FACF???##查到serial號是FACF subject=?/C=cn/ST=henan/O=supercom/L=zhengzhou/CN=myclient
????1.5.2 創建crlnumber
echo?01?>?crlnumber ##第一次增加這個
????1.5.3 ssl增加吊銷配置
vi?/etc/nginx/ca/conf/openssl.conf??##增加下面配置 crlnumber=?/etc/nginx/ca/crlnumber
????1.5.4 執行吊銷client證書
openssl?ca?-revoke?/etc/nginx/ca/newcerts/FACF.pem?-config?"/etc/nginx/ca/conf/openssl.conf"
????1.5.5 重新乘車crl吊銷列表
openssl?ca?-gencrl?-out?/etc/nginx/ca/private/ca.crl?-config?"/etc/nginx/ca/conf/openssl.conf" 查看吊銷是否成功 openssl?crl?-in?/etc/nginx/ca/private/ca.crl?-noout?-text
????1.5.6 調整nginx參數
vi?/etc/nginx/conf.d/443.conf?##增加啟用crl配置 ssl_crl?/etc/nginx/ca/private/ca.crl; nginx?-t??#驗證重啟 nginx?-s?reload
????1.5.7 驗證吊銷結果
????登錄瀏覽器再次訪問,選擇對應證書,依舊被拒絕訪問即為成功。
1.6 nginx認證參考
https://blog.csdn.net/rexueqingchun/article/details/82251563 https://help.aliyun.com/document_detail/54508.html?spm=5176.2020520152.0.0.61bb16ddEk6YWC
2?ingress實現Https雙向認證(無吊銷功能)
?2.1這里是ingress示例
apiVersion:?extensions/v1beta1 kind:?Ingress metadata: ??annotations: ????nginx.ingress.kubernetes.io/auth-tls-verify-client:?"on" ????nginx.ingress.kubernetes.io/auth-tls-secret:?"default/ca-secret" ????nginx.ingress.kubernetes.io/auth-tls-verify-depth:?"1" ????nginx.ingress.kubernetes.io/auth-tls-error-page:?"http://www.mysite.com/error-cert.html" ????nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:?"true" ??name:?nginx-test ??namespace:?default spec: ??rules: ??-?host:?mydomain.com ????http: ??????paths: ??????-?backend: ??????????serviceName:?http-svc ??????????servicePort:?80 ????????path:?/ ??tls: ??-?hosts: ????-?mydomain.com ????secretName:?tls-secret
???
?2.2 創建tls-secret和ca-secret
tls-secret可以使用自建的,也可以使用機構簽發的服務器證書 kubectl?create?secret?generic?tls-secret?--from-file=tls.crt=server.crt?--from-file=tls.key=server.key ca-secret到自己的ca目錄創建 cd?/etc/nginx/ca/private kubectl?create?secret?generic?ca-secret?--from-file=ca.crt=ca.crt 然后創建ingress kubectl?create?-f?ingress.yaml
?2.3 添加其他annotations
ingress?跨域問題?需要在ingress中添加配置下面annotations ???nginx.ingress.kubernetes.io/cors-allow-headers:?>- ??????DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization ????nginx.ingress.kubernetes.io/cors-allow-methods:?'PUT,?GET,?POST,?OPTIONS' ????nginx.ingress.kubernetes.io/cors-allow-origin:?'*' ????nginx.ingress.kubernetes.io/enable-cors:?'true' ???? ingress??強制443? ????nginx.ingress.kubernetes.io/ssl-redirect:?'true' ingress?白名單訪問 ????nginx.ingress.kubernetes.io/whitelist-source-range:?'192.168.5.3'
???
?2.4 ingress 可參考
https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ https://kubernetes.github.io/ingress-nginx/examples/PREREQUISITES/#client-certificate-authentication https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
