Nginx的双向认证

Nginx开启HTTPS访问如下(在nginx.conf或者conf.d文件夹中的配置文件中server部分):

1
2
3
4
5
6
7
8
9
10
11
12
13
server {
    listen       443 ssl;
    #listen      [::]:443 ssl http2 default_server;
    server_name  www.lemonlzy.cn;
    root         /home/hexoBlog;

    #证书文件名称
    ssl_certificate  "/etc/nginx/1_www.lemonlzy.cn_bundle.crt";

    #私钥文件名称
    ssl_certificate_key "/etc/nginx/2_www.lemonlzy.cn.key";
    ...
}

Nginx开启双向认证如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
    listen       443 ssl;
    #listen      [::]:443 ssl http2 default_server;
    server_name  www.lemonlzy.cn;
    root         /home/hexoBlog;

    #证书文件名称
    ssl_certificate  "/etc/nginx/1_www.lemonlzy.cn_bundle.crt";
    
    #私钥文件名称
    ssl_certificate_key "/etc/nginx/2_www.lemonlzy.cn.key";
    
    ssl_client_certificate /etc/nginx/ca.crt;     #双向认证
    ssl_verify_client on;                         #双向认证
    ... 
}

kubernetes的单向认证

kubernetes的单向、双向认证在ingress资源清单中定义,单向认证通俗理解就是开启https访问。

单向认证的配置比较容易,仅在ingress资源清单中加入tls即可(需注意,tls中的secretName为证书secret的名称):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - your.hostname.cn
    secretName: tls-secret
  rules:
  - host: your.hostname.cn
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8280

证书的secret创建:

1
2
3
4
5
[root@lemonlzy cert]# ls
_.lemonlzy.cn.cer  _.lemonlzy.cn.key  ca.crt
 
[root@lemonlzy cert]# kubectl create secret tls tls-secret --key _.lemonlzy.cn.key --cert _.lemonlzy.cn.cer
secret/tls-secret created

kubernetes的双向认证

可参考客户端证书认证

可参考客户端证书示例

双向认证通俗理解就是在访问该网站时,需确认证书信息,以下仅描述需在ingress中开启的属性信息:

参数
nginx.ingress.kubernetes.io/auth-tls-verify-client 启用客户端证书的验证,可定义参数值为off(默认)、on,作用:请求客户端证书,验证的证书由nginx.ingress.kubernetes.io/auth-tls-secret: secretName该参数定义。证书验证失败将导致状态码400(错误请求)。
nginx.ingress.kubernetes.io/auth-tls-secret: secretName 填写证书secret的名称

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
spec:
  tls:
  - hosts:
    - your.hostname.cn
    secretName: tls-secret
  rules:
  - host: your.hostname.cn
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8280