Shulou(Shulou.com)06/01 Report--

This article is about how to implement SSL fast two-way authentication configuration in Nginx. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

At present, there is a security requirement for a project, which requires that only individual users have access. In line with the principle of not using code to solve the problem if you can solve it with configuration, just make some restrictions and modifications on Nginx.

In fact, there are many ways to realize this demand. After comprehensive evaluation and consideration, it is found that the SSL two-way authentication scheme is the easiest to use for users, so it is decided to use this scheme.

Note: this scheme is implemented in Ubuntu Server 16.04LTS. Other operating systems should be modified as appropriate.

SSL two-way authentication

Most SSL applications are based on one-way authentication, that is, as long as the client trusts the server, it can use the public key of the server to encrypt and then initiate a request to the server, and the request data can be obtained after decryption by the private key of the server.

If this process is reversed, let the server trust the client, and the server uses the client's public key encryption to return the data to the client, in fact, it can also be done, the principle and implementation are similar to one-way authentication.

The operation of the server trusting the client is often accompanied by the process of the client authenticating the server, so the SSL authentication method that allows the server to trust the client is often called SSL two-way authentication. In order to configure SSL two-way authentication, you must first open the server SSL, and configure the client trust server first.

SSL two-way authentication configuration of Nginx

The first step is to enable https access.

According to the theory, we must first turn on the SSL configuration of Nginx, that is, enable https. This process is relatively simple. At present, there is a free certificate scheme like let's encrypt, so you no longer have to worry about building your own CA self-signature. Skip the process of applying for a free certificate and post the https-enabled configuration directly:

Server {listen 80; listen 443 ssl http2; server_name example.com; ssl_certificate / etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key / etc/letsencrypt/live/example.com/privkey.pem; # TLSv1.3 protocol is supported only in Nginx > = 1.13.0 version # ssl_protocols TLSv1.3; # Nginx version below 1.13.0 uses this to configure ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam dhparam.pem # openssl dhparam-out / etc/nginx/dhparam.pem 4096 ssl_ciphers' EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_ecdh_curve secp384r1; # Requires nginx > = 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx > = 1.5.9 ssl_stapling on; # Requires nginx > = 1.3.7 ssl_stapling_verify on; # Requires nginx = > 1.3.7 resolver 223.5.5.5 114.114.114.114 valid=300s Resolver_timeout 5s; # enable HSTS configuration. If there are http applications with non-standard port access under your domain name, do not enable HSTS # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload". # the following configuration will reject Frame tag content. Please make sure that your website does not have frame / iframe add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block". In order to renew let's encrypt, you don't need this location location / .well-known {root / usr/share/nginx/html;} without let's encrypt. SNIP... # forces http to jump to https if ($scheme! = "https") {return 301 https://$http_host$request_uri;}}

The configuration references for the above pile of ssl come from: https://cipherli.st/ enhances the security configuration of SSL

Pay special attention to the final forced https jump, our purpose is SSL two-way authentication, not https does not make any sense, so we must force the jump to https.

The second step is to generate client certificate and visa (script)

There are too many articles described in detail in this process, so I won't dwell on the openssl and visa process here. This article is to quickly generate a certificate for two-way authentication configuration, so just paste the script directly. Commands refer to various openssl two-way configuration documents on the Internet, based on which command simplification and non-interactive support are carried out.

The whole directory structure is shown in the figure:

# tree / etc/nginx/ssl_certs//etc/nginx/ssl_certs/ ├── create_ca_cert.sh ├── create_client_cert.sh ├── revoke_cert.sh0 directories, 3 files

Create / etc/nginx/ssl_certs/, into three scripts, which are used to generate CA certificate and CA directory (the role of create_ca_cert.sh script, only need to be run for the first time), create client certificate and use CA certificate visa (the role of create_client_cert.sh script, must be CA certificate), revoke_cert.sh script is used to revoke certificate, you can use it when you need to withdraw authority.

Each script contains the following:

Create_ca_cert.sh

#! / bin/bash-e # create CA root certificate # create the following non-interactively: # country name (2-letter code) ST=Shannxi# city, C=CN# province, L=Xian# company name O=My Company# organization or department name OU= technical department # server FQDN or issuer name CN=www.example.com# email address emailAddress=admin@example.commkdir-p. / demoCA/ {private Newcerts} touch. / demoCA/index.txt [!-f. / demoCA/seria] & & echo 01 >. / demoCA/serial [!-f. / demoCA/crlnumber] & & echo 01 >. / demoCA/crlnumber [!-f. / demoCA/cacert.pem] & & openssl req-utf8-new-x509-days 36500-newkey rsa:2048-nodes-keyout. / demoCA/private/cakey.pem-out. / demoCA/cacert.pem-subj "/ accounts ${C} / ST=$ {ST} / demoCA/private/ca.crl ${L} / OU=$ {OU} / CN=$ {CN} / emailAddress=$ {emailAddress} "[!-f. / demoCA/private/ca.crl] & & openssl ca-crldays 36500-gencrl-out". / demoCA/private/ca.crl "

Create_client_cert.sh

#! / bin/bash-eshow_help () {echo "$0 [- h | -? |-- help] [--ou ou] [--cn cn] [--email email]" echo "- h |-- help display helps" echo "--ou sets the organization or department name, such as" echo "--cn sets FQDN or owner name For example, Feng Yu "echo"-email sets FQDN or owner email, such as: fengyu@example.com "} while [[$#-gt 0]] do case $1 in-h | -\? |-- help) show_help exit 0 ;-- ou) OU= "${2}" shift;;-- cn) CN= "${2}" shift;;-- email) emailAddress= "${2}" shift;;-- shift break *) echo-e "Error: $0 invalid option'$1'\ nTry'$0-- help' for more information.\ n" > & 2 exit 1 Esacshiftdone# create client certificate # non-interactively create the following: # country name (2-letter code) C=CN# province ST=Shannxi# city L=Xian# company name O=My Company# organization or department name OU=$ {OU:- test department} # server FQDN or grantee name CN=$ {CN:-demo} # email address emailAddress=$ {emailAddress:-demo@example.com} mkdir-p "${CN}" [ !-f "${CN} / ${CN} .key"] & & openssl req-utf8-nodes-newkey rsa:2048-keyout "${CN} / ${CN} .key"-new-days 36500-out "${CN} / ${CN} .csr"-subj "/ accounts ${C} / ST=$ {ST} / CN=$ {CN} / emailAddress=$ {emailAddress}" [!-f "${CN} / ${CN} .crt "] & & openssl ca-utf8-batch-days 36500-in" ${CN} / ${CN} .csr "- out" ${CN} / ${CN} .crt "[!-f" ${CN} / ${CN} .p12 "] & & openssl pkcs12-export-clcerts-CApath. / demoCA/-inkey" ${CN} / ${CN} .key "- in" ${CN} / ${CN} .crt " "- certfile". / demoCA/cacert.pem "- passout pass:-out" ${CN} / ${CN} .p12 "

Revoke_cert.sh

#! / bin/bash-e # revoke a visa certificate openssl ca-revoke "${1} / ${1} .crt" openssl ca-gencrl-out ". / demoCA/private/ca.crl"

Simply analyze a wave of scripts, the first is to create CA. For Ubuntu systems, the default CA path in / etc/ssl/openssl.cnf configuration is. / demoCA. In order not to change the default configuration, just create these directories and files according to the default configuration. There are also a lot of opensl subcommands, but like git, you can merge commands, such as generating a private key and visa request openssl req-nodes-newkey rsa:2048-keyout client.key-new-out client.csr with a single command, and doing genrsa while req. Since creating a CA script is only needed for the first time, you can simply write the certificate configuration to death in the script.

The next step is to create a client certificate. In order to simplify the use of the user, help the user generate the certificate and obtain a visa on the server side, and then issue the certificate to the user. As users may be different departments, different names, different email addresses, so externalize these three parameters, do some parameter parsing, and add friendly command line prompts to prevent forgetting. This script pays special attention to the last line and generates a certificate in PKCS12 format. The certificate format generated by openssl by default is PEM, which separates the public key from the private key, but the browser needs to merge these contents to form a certificate chain when importing, so you need to merge the visa certificate and the private key file into a certificate in PKCS12 format, and just give the .p12 format certificate to the user.

Finally, the certificate is revoked, and when you want to reclaim a user's access, just run the script and follow the directory name.

Next, run the script that creates the CA:

. / create_ca_cert.sh

Generating a 2048 bit RSA private key...+++. . + writing new private key to'. / demoCA/private/cakey.pem'-Using configuration from / usr/ssl/openssl.cnf

The structure of the. / demoCA directory generated at this time is as follows:

DemoCA/ ├── cacert.pem ├── crlnumber ├── crlnumber.old ├── index.txt ├── newcerts ├── private │ ├── ca.crl │ └── cakey.pem └── serial2 directories, 7 files

At this point, you can configure nginx. In the above one-way ssl configuration, append the following configuration:

Ssl_client_certificate ssl_certs/demoCA/cacert.pem; ssl_crl ssl_certs/demoCA/private/ca.crl; ssl_verify_client on

Ssl_client_certificate is the CA certificate of the client certificate. All certificates issued on behalf of this CA are trusted. Ssl_verify_client on; represents mandatory client authentication. Illegal clients (no certificate, untrusted certificate) will return 400Error.

Pay special attention to the configuration of ssl_crl, which means that Nginx will read a CRL (Certificate Revoke List) file. As mentioned before, there may be a need to revoke user rights, so we must have the function of revoking certificates and generate a CRL file to let Nginx know which certificates have been revoked.

Note: the Nginx configuration is static and will be loaded into memory after the configuration file is read, and will not be re-read even if the file content changes. So when the CRL file changes, Nginx is not aware that a new certificate has been revoked, so you must use the reload directive to get Nginx to reread the configuration file: service nginx reload or nginx-s reload

Restart the Nginx service at this time, and you can complete the SSL two-way authentication configuration.

Let's issue a certificate and see:

. / create_client_cert.sh-- ou Finance Department-- cn Finance Manager-- email cy@example.comGenerating a 2048 bit RSA private key..+++... .. + writing new private key to 'Finance Manager / Finance Manager. Key'-Using configuration from / usr/ssl/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 14 16:03:46 2018 GMT Not After: May 21 16:03:46 2118 GMT Subject: countryName = CN stateOrProvinceName = Shannxi organizationName = My Company organizationalUnitName =\ U8D22\ U52A1\ U90E8 commonName =\ U8D22\ U52A1\ U7ECF\ U7406 emailAddress = cy@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:91:0B:1F:FC:25:3B:2A:F9:EF:39:39:51 E3:1F:64:78:8A:C3:75 X509v3 Authority Key Identifier: keyid:86:55:76:15:A3:F5:58:CB:8F:39:A3:56:8E:FF:18:97:AE:27:60:0FCertificate is to be certified until May 21 16:03:46 2118 GMT (36500 days) Write out database with 1 new entriesData Base Updatedtree Finance Manager / Finance Manager / ├── Finance Manager. Crt ├── Finance Csr ├── Finance Manager. Key └── Finance Manager. P120 directories 4 files

This script generates the private key file key, the visa request file csr, the certificate file crt after the CA visa (there is no private key in it), and the certificate file p12 in PKCS12 format after bundle the crt file and key. Download the p12 file locally, double-click Next all the way to import the certificate.

Note: since the certificate file of CA will not change, the new client certificate of visa does not require restart or reload nginx

When we open our website https://www.example.com this time, the browser will prompt us to select an existing client certificate for authentication, and we will be able to see the content of the website.

Note: after each import of a new certificate, you must restart the browser to prompt for the use of the new certificate file

In this way, how many people need authorization, how many such certificates can be issued with this script, and users can normally access the site by importing the p12 certificate locally.

When we need to revoke someone's authority (such as resignation), we need to revoke his certificate:

. / revoke_cert.sh Finance Manager

Using configuration from / usr/ssl/openssl.cnfRevoking Certificate 01.Data Base UpdatedUsing configuration from / usr/ssl/openssl.cnfservice nginx reload

This script will automatically revoke his visa file crt and update the CRL file automatically. Note that reload or restart nginx is required for nginx to reload CRL. The revoked certificate will not be able to access the website.

Thank you for reading! On "how to achieve SSL fast two-way authentication configuration in Nginx" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.