上游加密Nginx `proxy_ssl_trusted_certificate`

Question

我试图在nginx中使用proxy_pass，其中对上游服务器的连接进行了加密。上游服务器的证书已由letsencrypt创建。

# upstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/upstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/upstream.example.com/privkey.pem; # managed by Certbot

    # ...
  }
}

当不验证下游服务器中的代理证书时，一切正常。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify off;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

但是，如果我试图在下游服务器上验证上游证书，则在nginx错误日志中获得上游SSL证书验证错误：(2:无法获得颁发者证书)而SSL与上游握手。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/nginx/ssl/upstream.example.com/chain.pem;
    proxy_ssl_verify_depth 2;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

如果我试图连接的上游服务器有一个letsencrypt证书，那么我需要proxy_ssl_trusted_certificate和proxy_ssl_verify_depth的哪些设置？

我将proxy_ssl_verify_depth从0更改为5，并使用了上游服务器的fullchain.pem、chain.pem和cert.pem for proxy_ssl_trusted_certificate，但都没有成功。

更多信息

使用openssl验证CA证书有效：

# openssl verify -verify_depth 2 chain.pem
chain.pem: OK

根据CA证书验证来自上游服务器fullchain.pem的证书工作：

# openssl verify -CAfile chain.pem fullchain.pem
fullchain.pem: OK

进一步参考资料

• https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
• https://nginx.org/en/docs/http/ngx_http_proxy_module.html

Answer 1

proxy_ssl_trusted_certificate所需的CA证书不是由letsencrypt或上游服务器提供的。它已经安装在下游服务器上。

在Ubuntu上，CA证书的位置是/etc/ssl/certs/ca-certificates.crt。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

文档

https://nginx.org/en/docs/http/ngx_http_proxy_module.html

打开

proxy_ssl_verify；启用或禁用对代理HTTPS服务器证书的验证。

proxy_ssl_verify_depth编号；在代理的HTTPS服务器证书链中设置验证深度。

proxy_ssl_trusted_certificate文件；指定具有可信CA证书的文件，格式为PEM格式，用于验证代理HTTPS服务器的证书。

另请参阅

• https://unix.stackexchange.com/a/484938/91720
• https://serverfault.com/a/1052976/167331