AMAZON API Gateway(2)Client Side SSL with NGINX
程序员文章站
2022-03-30 19:24:10
...
AMAZON API Gateway(2)Client Side SSL with NGINX or NodeJS
1 API Gateway to Connect to AWS API
https://aws.amazon.com/api-gateway/faqs/
Can Amazon API Gateway work within an Amazon VPC?
Can I verify that it is API Gateway calling my backend?
SSL for LB
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-cert.html#us-update-lb-SSLcert-console
Client side SSL
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Client SSL for NodeJS
http://www.graemeboy.com/validating-https-nodejs
Client Side SSL for Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
https://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/
https://gist.github.com/mtigas/952344
2 Stop the Apache on my Local for 80 Port
sudo apachectl stop
3 Start with NGINX
Start the nginx server
> sudo sbin/nginx
I install the latest stable version of nginx nginx-1.6.3
Error Message 1:
nginx: [emerg] unknown directive "ssl_client_certificate" in /home/carl/tool/nginx-1.6.3/conf/nginx.conf:43
Solution:
http://sillycat.iteye.com/blog/2074417
> ./configure --with-http_stub_status_module --with-http_ssl_module --prefix=/home/carl/tool/nginx-1.6.3
http://suoranciata.github.io/ssl-client-auth.html
4 Configure the Client Side Certificate Validation
http://suoranciata.github.io/ssl-client-auth.html
http://*.com/questions/11840873/how-to-proxy-http-x-ssl-client-s-dn-header
This is the mock server output all the headers:
require('http').createServer(function(req, res) {
res.writeHead(200)
res.write("<pre>")
res.write(req.method + " " + req.url + " HTTP/" + req.httpVersion + "\n")
for (var name in req.headers) {
res.write(name + ": " + req.headers[name] + "\n")
}
res.end("</pre>")
}).listen(8080)
This is the output
GET / HTTP/1.0
x-ssl-client-verify: NONE
host: 127.0.0.1:8080
connection: close
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8,zh-TW;q=0.6,zh;q=0.4
This is the nginx.conf file, it seems that I need to make the ssl on to make it work.
ssl on;
ssl_certificate /home/carl/install/keys/ca.crt;
ssl_certificate_key /home/carl/install/keys/ca.key;
ssl_client_certificate /opt/nginx/conf/certs/ca.crt;
ssl_verify_depth 1;
ssl_verify_client optional;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-SSL-client-serial $ssl_client_serial;
proxy_set_header X-SSL-client-s-dn $ssl_client_s_dn;
proxy_set_header X-SSL-client-i-dn $ssl_client_i_dn;
proxy_set_header X-SSL-client-session-id $ssl_session_id;
proxy_set_header X-SSL-client-verify $ssl_client_verify;
}
If I need client side certificate validation, I need to to have ssl on, it is a little complex than I thought. Reading more documents.
If I want to do that within nodeJS.
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/home/carl/install/keys/ca.key'),
cert: fs.readFileSync('/home/carl/install/keys/ca.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [ fs.readFileSync('ssl/ca.crt') ]
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.write("Hello.\n");
if(req.client.authorized) {
res.write('Access granted.\n');
}
else {
res.write('Access denied.\n');
}
res.end();
}).listen(8081);
Hello.
Access denied.
References:
https://gist.github.com/mtigas/952344
http://*.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain
1 API Gateway to Connect to AWS API
https://aws.amazon.com/api-gateway/faqs/
Can Amazon API Gateway work within an Amazon VPC?
Can I verify that it is API Gateway calling my backend?
SSL for LB
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-update-ssl-cert.html#us-update-lb-SSLcert-console
Client side SSL
http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Client SSL for NodeJS
http://www.graemeboy.com/validating-https-nodejs
Client Side SSL for Nginx
http://nategood.com/client-side-certificate-authentication-in-ngi
https://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/
https://gist.github.com/mtigas/952344
2 Stop the Apache on my Local for 80 Port
sudo apachectl stop
3 Start with NGINX
Start the nginx server
> sudo sbin/nginx
I install the latest stable version of nginx nginx-1.6.3
Error Message 1:
nginx: [emerg] unknown directive "ssl_client_certificate" in /home/carl/tool/nginx-1.6.3/conf/nginx.conf:43
Solution:
http://sillycat.iteye.com/blog/2074417
> ./configure --with-http_stub_status_module --with-http_ssl_module --prefix=/home/carl/tool/nginx-1.6.3
http://suoranciata.github.io/ssl-client-auth.html
4 Configure the Client Side Certificate Validation
http://suoranciata.github.io/ssl-client-auth.html
http://*.com/questions/11840873/how-to-proxy-http-x-ssl-client-s-dn-header
This is the mock server output all the headers:
require('http').createServer(function(req, res) {
res.writeHead(200)
res.write("<pre>")
res.write(req.method + " " + req.url + " HTTP/" + req.httpVersion + "\n")
for (var name in req.headers) {
res.write(name + ": " + req.headers[name] + "\n")
}
res.end("</pre>")
}).listen(8080)
This is the output
GET / HTTP/1.0
x-ssl-client-verify: NONE
host: 127.0.0.1:8080
connection: close
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8,zh-TW;q=0.6,zh;q=0.4
This is the nginx.conf file, it seems that I need to make the ssl on to make it work.
ssl on;
ssl_certificate /home/carl/install/keys/ca.crt;
ssl_certificate_key /home/carl/install/keys/ca.key;
ssl_client_certificate /opt/nginx/conf/certs/ca.crt;
ssl_verify_depth 1;
ssl_verify_client optional;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-SSL-client-serial $ssl_client_serial;
proxy_set_header X-SSL-client-s-dn $ssl_client_s_dn;
proxy_set_header X-SSL-client-i-dn $ssl_client_i_dn;
proxy_set_header X-SSL-client-session-id $ssl_session_id;
proxy_set_header X-SSL-client-verify $ssl_client_verify;
}
If I need client side certificate validation, I need to to have ssl on, it is a little complex than I thought. Reading more documents.
If I want to do that within nodeJS.
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/home/carl/install/keys/ca.key'),
cert: fs.readFileSync('/home/carl/install/keys/ca.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [ fs.readFileSync('ssl/ca.crt') ]
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.write("Hello.\n");
if(req.client.authorized) {
res.write('Access granted.\n');
}
else {
res.write('Access denied.\n');
}
res.end();
}).listen(8081);
Hello.
Access denied.
References:
https://gist.github.com/mtigas/952344
http://*.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain