问题描述
如何设置expressjs的请求以正确识别与https nginx服务器的TLS连接,以便我可以通过getPeerCertificate
进行身份验证?
How can set the request of expressjs to properly identify a TLS connection with https nginx server so that I can perform authentication through getPeerCertificate
?
这是我的Nginx配置,用于将请求传输到expressjs api
this is my nginx config to transfer request to expressjs api
location /api {
proxy_pass http://10.88.132.14:4337/api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
推荐答案
您需要传递SSL令牌,然后手动对其进行解码.您可以通过将X-SSL-CERT
与$ssl_client_escaped_cert
相加来传递它.确保您使用的是Nginx 1.13或更高版本,因为$ssl_client_escaped_cert
在1.12中不存在.
You need to pass the SSL-token and then manually decode it. You pass it through adding X-SSL-CERT
with the $ssl_client_escaped_cert
. Make sure you are using Nginx 1.13 or later as the $ssl_client_escaped_cert
didn't exist in 1.12.
location /api {
proxy_pass http://10.88.132.14:4337/api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
}
现在您不能使用getPeerCertifice()
,因为这需要完整的SSL连接.而是使用x509
包从上方解码x-ssl-cert
标头:
Now you can't use getPeerCertifice()
as this requires the full SSL-connection. Instead you decode the x-ssl-cert
header from above using the x509
package:
let cert = req.headers['x-ssl-cert'];
try {
cert = decodeURIComponent(cert);
console.log(x509.getSubject(cert));
} catch (error) {
console.log('Bad SSL-certificate?', error);
}
这篇关于express.js设置tls连接https nginx服务器进行请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!