java - nginx+tomcat+双向SSL认证，jsp文件一直不能获取客户端证书信息

Question

certs=(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

这段永远都是null不知道是哪里问题？nginx？还是tomcat？

网上搜索了不少信息，但是都没有解决，有人直接用tomcat来当https服务器是可以解决，但是我真不想那么做

nginx用http和https打开tomcat的页面都正确了，并且也弹出了证书选择的对话框，但是服务端就是不能获取客户端的认证证书信息

这段是NGINX的配置文件的

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    


    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }



    upstream tomcat {
        server 192.168.2.114:8080 fail_timeout=0;
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;
    
        ssl_certificate      d:/ssl/server.crt;
        ssl_certificate_key  d:/ssl/server.key;
        ssl_client_certificate d:/ssl/ca.crt;

    ssl on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    ssl_verify_client on;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            # note, there is not SSL here! plain HTTP is used
              client_max_body_size    16m;
              client_body_buffer_size 128k;
              proxy_pass                          http://tomcat/;
              proxy_set_header        Host $host;
              proxy_set_header        X-Real-IP $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header           X-Forwarded-Proto https;
              proxy_next_upstream   off;

              proxy_connect_timeout   30;
              proxy_read_timeout      300;
              proxy_send_timeout      300;
        }
    }

}

这段是tomcat的

     <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" 
                   scheme="https"
                   proxyName="192.168.2.114"
                   proxyPort="443" />
                   
   <Valve className="org.apache.catalina.valves.RemoteIpValve"
                      remoteIpHeader="x-forwarded-for"
                      remoteIpProxiesHeader="x-forwarded-by"
                      protocolHeader="x-forwarded-proto"/>

Answer 1

Saya mencari penghantaran sijil dan nampaknya menjumpai artikel ini, yang masih belum disahkan dan mungkin dapat menyelesaikan masalah ini

1. Hierarki sijil

1. Struktur pelayan

Tomcat tidak memerlukan pengesahan pelanggan, nginx memerlukan pengesahan pelanggan

1. Perkara yang perlu diperhatikan semasa mengkonfigurasi kucing jantan

CN sijil pelayan tomcat mestilah tomcat_backend

1. titik konfigurasi nginx yang perlu diperhatikan

Gunakan openssl untuk mengeksport kunci awam format pem daripada fail pfx

openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
Gunakan openssl untuk mengeksport kunci peribadi format pem daripada fail pfx

openssl pkcs12 -nocerts -nodes -in cert.p12 -out private.pem
Gunakan openssl untuk menjana rantaian sijil CA

Eksport sijil kunci awam CA akar dan CA perantaraan Contohnya, nama fail selepas eksport ialah root.pem ca.pem

Gabungkan root.pem ca.pem ke dalam satu fail, ca.pem dahulu, root.pem last

cat ca.pem >> chain.pem
cat root.pem >> konfigurasi segmen pelayan nginx

server {
    listen 443;
    server_name localhost;
    ssl on;
    ssl_certificate nginx服务器证书公钥;
    ssl_certificate_key nginx服务器证书私钥;
    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; # 如果使用默认值，在谷歌浏览器中会提示使用的加密套件过时
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ; # 如果使用默认值，在谷歌浏览器中会提示使用的加密套件过时
    ssl_prefer_server_ciphers on;
    ssl_verify_client on; # 开启客户端验证
    ssl_verify_depth 2; # 这里一定要注意，服务器证书上面有几级CA就写几
    ssl_client_certificate chain.pem; # 证书链 用于验证客户端提供的证书
    ssl_trusted_certificate 证书链;
    location / {
        proxy_pass https://tomcat_backend;
        include proxy.conf;
    ｝
}

Lulus sijil pelanggan kepada tomcat hujung belakang melalui pengepala http. Konfigurasikan dalam fail proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 30;
proxy_send_timeout 15;
proxy_read_timeout 15;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_ssl_certificate localhost.pem; # 如果后端的tomcat也要求客户端认证，则nginx与tomcat建立连接时会把该证书发送给tomcat
proxy_ssl_certificate_key localhost.key;
proxy_ssl_trusted_certificate chain.pem; # 如果启用了proxy_ssl_verify，则使用该文件中的CA公钥验证后端tomcat的证书
proxy_ssl_verify on; # nginx是否验证后端tomcat的证书
proxy_ssl_verify_depth 2;

Untuk mendapatkan maklumat tentang cara menjana sijil CA, sijil pelanggan dan sijil pelayan, sila rujuk "Melaksanakan Pengesahan Dua Hala SSL dalam Projek JEE"

Answer 2

Melaksanakan pengesahan dua hala SSL dalam projek JEE