Shulou(Shulou.com)06/02 Report--

Using nginx for two-way authentication, the client certificate can be revoked.

Using ingress to configure tls in K8s can achieve client authentication, but the revocation function is abnormal and repeated tests can not be implemented (k8s1.14.8 version)

1 nginx to achieve Https two-way authentication

Two-way authentication can be realized independently, which has nothing to do with the server server certificate issued by the organization, that is, you only need to create ca and client certificates.

If there is no certificate issued by the organization, you can also use the self-built ca to issue your own local server certificate, and then issue client to achieve two-way authentication in the local environment, which is often used in testing.

1.1 prepare the nginx environment

Install nginx yum-y install gcc gcc-c++ make libtool zlib zlib-devel openssl openssl-devel pcre pcre-devel rpm-ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm yum install nginx-y nginx-v systemctl start nginx

1.2 configure nginx

Modify the nginx configuration file, plan the certificate path name, etc.

Vi / etc/nginx/conf.d/443.conf

Where ca.crl is the revocation file, enable the configuration after the revocation is performed

Server {listen 443 ssl; server_name www.younihao.com; ssl_certificate / etc/nginx/ca/server/server.crt; ssl_certificate_key / etc/nginx/ca/server/server.key; ssl_client_certificate / etc/nginx/ca/private/ca.crt; ssl_session_timeout 5m; ssl_verify_client on Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers all, ssl_prefer_server_ciphers on;# ssl_crl / etc/nginx/ca/private/ca.crl; charset utf-8; access_log logs/host.access.log main; error_page 502 503 504 / ssl_prefer_server_ciphers on;# ssl_crl Location = / 50x.html {root html;} location = / favicon.ico {log_not_found off; access_log off; expires 90d;} location / {root / usr/share/nginx/html; index index.html index.htm;}}

1.3 create a self-signed CA,server,client certificate

1.3.1 create a certificate directory

Cd / etc/nginx/mkdir cacd ca/mkdir newcerts private conf server users

1.3.2 create an openssl profile

Vi / etc/nginx/ca/conf/openssl.conf [ca] default_ca = myserver [myserver] dir = / etc/nginx/cadatabase = / etc/nginx/ca/index.txtnew_certs_dir = / etc/nginx/ca/newcertscertificate = / etc/nginx/ca/private/ca.crtserial = / etc/nginx/ca/serialprivate_key = / etc/nginx/ca/private/ca.keyRANDFILE = / etc/nginx/ca/private/.rand default_days = 3650default_crl_days = 3650default_md = sha256unique _ subject = no policy = policy_any [policy_any] countryName = matchstateOrProvinceName = matchorganizationName = matchlocalityName = optionalcommonName = suppliedemailAddress = optional

1.3.3 generate ca,server,client certificates

Generate ca openssl genrsa-out / etc/nginx/ca/private/ca.key openssl req-new-key / etc/nginx/ca/private/ca.key-out private/ca.csr openssl x509-req-days 3650-in / etc/nginx/ca/private/ca.csr-signkey / etc/nginx/ca/private/ca.key-out / etc/nginx/ca/private/ca.crt setup starting sequence number echo FACE > / etc/nginx/ca/serial create CA Keylibrary touch / etc / nginx/ca/index.txt create a certificate revocation list openssl ca-gencrl-out / etc/nginx/ca/private/ca.crl-crldays 3670-config "/ etc/nginx/ca/conf/openssl.conf" generate self-signed server certificate openssl genrsa-out / etc/nginx/ca/server/server.key 2048 openssl req-new-key / etc/nginx/ca/server/server.key-out / etc/nginx/ca/server/server.csr openssl ca-in / etc/nginx / ca/server/server.csr-cert / etc/nginx/ca/private/ca.crt-keyfile / etc/nginx/ca/private/ca.key-out / etc/nginx/ca/server/server.crt-config "/ etc/nginx/ca/conf/openssl.conf" generates the client certificate openssl genrsa-out / etc/nginx/ca/users/client.key 2048 openssl req-new-key / etc/nginx/ca/users/client.key-out / etc/nginx/ca/users/client. Csr openssl ca-in / etc/nginx/ca/users/client.csr-cert / etc/nginx/ca/private/ca.crt-keyfile / etc/nginx/ca/private/ca.key-out / etc/nginx/ca/users/client.crt-config "/ etc/nginx/ca/conf/openssl.conf" above req when creating the certificate request file You need to enter a series of parameters. For more information, please see the Common Name item in the figure below. Domain name is required for server certificate request. Ca and client are not required. Other items remain the same.

1.3.4 convert client certificate to PKCS12 file

You need to set a password when generating the file, and the browser will use it when adding the certificate.

Openssl pkcs12-export-clcerts-in / etc/nginx/ca/users/client.crt-inkey / etc/nginx/ca/users/client.key-out / etc/nginx/ca/users/client.p12

1.4 Verification test two-way authentication

1.4.1 after modifying the nginx configuration, the certificate path name is accurate.

Nginx-t # check the configuration syntax format

Nginx-s reload # # load new configuration

1.4.2 download the client.p12 file

Sz / etc/nginx/ca/users/client.p12

1.4.3 browser add client certificate

The method of each browser is different. Import Baidu p12 certificate file and restart the browser after importing the certificate.

When the browser accesses https://www.younihao.com, it will jump out of the certificate selection page, select the myclient certificate, and you can access it normally.

Access without certificate will result in 400Bad Request (No required SSL certificate was sent) error

1.5 revocation of client certificate

1.5.1 View serial number

Openssl x509-in / etc/nginx/ca/users/client.crt-noout-serial-subject [root@loaclhost] # openssl x509-in / etc/nginx/ca/users/client.crt-noout-serial-subjectserial=FACF # # found that the serial number is FACFsubject= / C=cn/ST=henan/O=supercom/L=zhengzhou/CN=myclient

1.5.2 create crlnumber

Echo 01 > crlnumber # # add this for the first time

1.5.3 ssl adds revocation configuration

Vi / etc/nginx/ca/conf/openssl.conf # # add the following configuration crlnumber= / etc/nginx/ca/crlnumber

1.5.4 perform revocation of client certificate

Openssl ca-revoke / etc/nginx/ca/newcerts/FACF.pem-config "/ etc/nginx/ca/conf/openssl.conf"

1.5.5 re-ride crl revocation list

Openssl ca-gencrl-out / etc/nginx/ca/private/ca.crl-config "/ etc/nginx/ca/conf/openssl.conf" check whether the revocation is successful openssl crl-in / etc/nginx/ca/private/ca.crl-noout-text

1.5.6 adjust nginx parameters

Vi / etc/nginx/conf.d/443.conf # # add enable crl configuration ssl_crl / etc/nginx/ca/private/ca.crl;nginx-t # verify restart nginx-s reload

1.5.7 verify the revocation result

Log in to the browser to access again, select the corresponding certificate, and still be denied access is a success.

1.6 nginx Certification reference

Https://blog.csdn.net/rexueqingchun/article/details/82251563https://help.aliyun.com/document_detail/54508.html?spm=5176.2020520152.0.0.61bb16ddEk6YWC

2 ingress to achieve Https two-way authentication (no revocation function)

2.1 here is an example of ingress

ApiVersion: extensions/v1beta1kind: Ingressmetadata: annotations: nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html" nginx.ingress .kubernetes.io / auth-tls-pass-certificate-to-upstream: "true" name: nginx-test namespace: defaultspec: rules:-host: mydomain.com http: paths:-backend: serviceName: http-svc servicePort: 80 path: / tls:-hosts:-mydomain.com secretName: tls-secret

2.2 create tls-secret and ca-secret

Tls-secret can use self-built server certificate kubectl create secret generic tls-secret-- from-file=tls.crt=server.crt-- from-file=tls.key=server.keyca-secret to its own ca directory to create cd / etc/nginx/ca/privatekubectl create secret generic ca-secret-- from-file=ca.crt=ca.crt and then create ingresskubectl create-f ingress.yaml

2.3 add additional annotations

The cross-domain problem of ingress needs to be configured in ingress as follows: annotations nginx.ingress.kubernetes.io/cors-allow-headers: >-DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization nginx.ingress.kubernetes.io/cors-allow-methods: 'PUT, GET, POST OPTIONS' nginx.ingress.kubernetes.io/cors-allow-origin:'* 'nginx.ingress.kubernetes.io/enable-cors:' true'ingress forced 443 nginx.ingress.kubernetes.io/ssl-redirect: 'true'ingress whitelist access nginx.ingress.kubernetes.io/whitelist-source-range:' 192.168.5.3'

2.4 ingress can be referenced

Https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/https://kubernetes.github.io/ingress-nginx/examples/PREREQUISITES/#client-certificate-authenticationhttps://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.