如何解决如何将用户证书从 NGINX 反向服务器传递到运行 NGINX 的其他服务器?
我总共有两个独立的服务器,ServerA 和 ServerB。 ServerA 使用 Docker/Docker-Compose 作为 NGINX 反向代理服务器。
这里是 ServerA 的 docker-compose.yml 文件:
version: '3.5'
services:
proxy:
build: ./
# image: nginx:1.19-alpine
container_name: proxy
ports:
- 80:80
- 443:443
restart: unless-stopped
这是 Dockerfile 的内容:
FROM nginx:1.19.0-alpine
# Remove default configuration
RUN rm /etc/nginx/nginx.conf
RUN rm /etc/nginx/conf.d/default.conf
# New default conf containing the proxy config
COPY ./default.conf /etc/nginx/conf.d/default.conf
COPY ./nginx.conf /etc/nginx/nginx.conf
# Backend not found html response
COPY ./backend-not-found.html /var/www/html/backend-not-found.html
# Nginx Proxy and SSL shared configs
COPY ./includes/ /etc/nginx/includes/
这里是nginx conf的内容,nginx.conf:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
代理的主要配置来自这个文件,default.conf:
# 80 Redirect
server {
listen 80;
listen [::]:80;
server_name localhost $host;
return 301 https://$host$request_uri;
}
# ServerB proxy config for app running on port 443.
server {
listen 443 ssl;
server_name App1.CUSTOMDOMAIN.org;
# Configure SSL
ssl_certificate /etc/ssl/certs/nginx/ServerA-crt.pem;
ssl_certificate_key /etc/ssl/certs/nginx/ServerA-key.pem;
ssl_trusted_certificate /etc/ssl/certs/nginx/PKI/ca.ca-bundle;
ssl_client_certificate /etc/ssl/certs/nginx/PKI/ca.ca-bundle;
ssl_verify_client optional;
ssl_verify_depth 5;
include /etc/nginx/includes/ssl.conf;
location / {
include /etc/nginx/includes/proxy.conf;
proxy_pass https://ServerB.CUSTOMDOMAIN.org;
proxy_ssl_certificate /etc/ssl/certs/nginx/ServerA-crt.pem;
proxy_ssl_certificate_key /etc/ssl/certs/nginx/ServerA-key.pem;
}
access_log off;
error_log /var/log/nginx/error.log error;
}
# ServerB proxy config for app running on port 8000.
server {
listen 443 ssl;
server_name App2.CUSTOMDOMAIN.org;
# Configure SSL
ssl_certificate /etc/ssl/certs/nginx/ServerB-crt.pem;
ssl_certificate_key /etc/ssl/certs/nginx/ServerB-key.pem;
ssl_trusted_certificate /etc/ssl/certs/nginx/PKI/ca.ca-bundle;
ssl_client_certificate /etc/ssl/certs/nginx/PKI/ca.ca-bundle;
ssl_verify_client optional;
ssl_verify_depth 5;
include /etc/nginx/includes/ssl.conf;
location / {
include /etc/nginx/includes/proxy.conf;
proxy_pass https://ServerB.CUSTOMDOMAIN.org:8000; # DEV
proxy_ssl_certificate /etc/ssl/certs/nginx/ServerB-crt.pem;
proxy_ssl_certificate_key /etc/ssl/certs/nginx/ServerB-key.pem;
}
access_log off;
error_log /var/log/nginx/error.log error;
}
# Catch all
server {
listen 80 default_server;
server_name _;
root /var/www/html;
charset UTF-8;
error_page 404 /backend-not-found.html;
location = /backend-not-found.html {
allow all;
}
location / {
return 404;
}
access_log off;
log_not_found off;
error_log /var/log/nginx/error.log error;
}
App1.CUSTOMDOMAIN.org 和 App2.CUSTOMDOMAIN.org 是指向 NGINX 反向代理 (ServerA) 的 DNS 记录。根据用户访问的 DNS/URL,它将代理将用户传递到端口 443 或 8000 上的 ServerB。
ServerB 在 docker-compose.yml 文件中运行 nginx + django + 本地 postgresdb:
version: '3'
services:
app-rest:
container_name: app-rest
env_file:
- ./.env
environment:
- DJANGO_SETTINGS_MODULE=app.settings.local
build:
context: .
dockerfile: Dockerfile
args:
- CA_BUNDLE=${SERVER_CA_BUNDLES}
volumes:
- ${REST_DIR}:/app
- static_volume:/app/staticfiles
- media_volume:/app/mediafiles
- ${SERVER_PRIVATE_KEY}:/app/certs/private.pem
- ${SERVER_PUBLIC_CERT}:/app/certs/public.pem
- ${SERVER_PEM}:/app/certs/server.pem
- ${SERVER_CA_BUNDLES}:/app/certs/ca/ca.pem
command: python manage.py runserver 0.0.0.0:8000
# command: gunicorn app.wsgi:application --bind 0.0.0.0:8000
expose:
- 8000
restart: unless-stopped
# nginx reverse-proxy
nginx:
env_file:
- ./.env
build: ./nginx
volumes:
- static_volume:/app/staticfiles
- media_volume:/app/mediafiles
- ${SERVER_PRIVATE_KEY}:/etc/nginx/private.pem
- ${SERVER_PUBLIC_CERT}:/etc/nginx/public.pem
- ${SERVER_CA_BUNDLES}:/etc/pki/tls/certs/ca_bundles.pem
- ${UI_DIR}./dist:/var/www/app
ports:
- 80:80
- 443:443
depends_on:
- App-rest
restart: unless-stopped
# optional local database instance
local-db:
container_name: App-local-db
image: postgres:13.1-alpine
env_file:
- ./.env
environment:
- POSTGRES_PASSWORD=${PG_DB_PASSWORD}
- POSTGRES_DB=${PG_DATABASE}
ports:
- ${PG_DB_EXT_PORT}:5432
volumes:
- postgres_data:/var/lib/postgresql/data/
restart: unless-stopped
volumes:
postgres_data:
static_volume:
media_volume:
我想弄清楚当用户点击 App1.CUSTOMDOMAIN.org 到 ServerB.CUSTOMDOMAIN.org 上的其他 nginx 代理服务器时,我如何将用户证书移交给它。现在,ServerA 的服务器证书似乎正在传递给 ServerB.CUSTOMDOMAIN.org 而不是用于与 DJANGO 进行身份验证的用户证书。
这是ServerB的nginx服务器的另一个nginx.conf:
upstream rest {
server app-rest:8000;
}
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
keepalive_timeout 70;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/public.pem;
ssl_certificate_key /etc/nginx/private.pem;
ssl_client_certificate /etc/pki/tls/certs/ca_bundles.pem;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location /api/app {
proxy_pass http://rest/api/app;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Client-I-DN $ssl_client_i_dn;
proxy_redirect off;
}
location / {
root /var/www/app;
try_files $uri $uri/ /index.html;
}
location /staticfiles/ {
alias /app/staticfiles/;
}
location /mediafiles/ {
alias /app/mediafiles/;
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
