[HTTPS] Two-way SSL – SSL雙向驗證 on Nginx

Intro

Two-way SSL即Server端也要求Client端提供certificate做驗證,handshake流程上是Client端先驗證Server端後才換Server端驗證Client端。


Client端憑證

Client端提供終端憑證並設定使用該憑證對應的Private Key;
Server端設定Client端的CA憑證,以用於驗證Client端提供的終端憑證。

[Server] TLS/SSL憑證(Certificate)常用指令 – 製作CSR


Nginx設定

Nginx可以在Server block上啟用驗證Client端certificate:

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/public.crt;
    ssl_certificate_key /etc/nginx/ssl/private.rsa;

    # Client certificate verification
    ssl_client_certificate /etc/nginx/ssl/client_ca.pem;
    ssl_verify_client on;

    server_name api.my_domain.com;

    location / {
       # ...
    }
}

Client端範例

PHP Guzzle

$response = $client->get('/', [
        'cert' => 'client.crt',
        'ssl_key' => 'client.key',     
    ]
);

Leave a Reply

Your email address will not be published. Required fields are marked *