本文介绍了Nginx - 如何访问客户端证书的主题备用名称(SAN)字段的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个 Nginx 服务器,客户端使用包含特定 CN 和 SAN 的客户端证书向其发出请求.我希望能够提取该客户端证书的 CN(通用名称)和 SAN(主题备用名称)字段.

I have an Nginx server which clients make requests to with a Client certificate containing a specific CN and SAN. I want to be able to extract the CN (Common Name) and SAN (Subject Alternative Names) fields of that client cert.

粗略的示例配置:

server {
listen 443 ssl;
ssl_client_certificate /etc/nginx/certs/client.crt;
ssl_verify_client on; #400 if request without valid cert

location / {
    root    /usr/share/nginx/html;

}
location /auth_test {
    # do something with the CN and SAN.
    # tried these embedded vars so far, to no avail
    return 200 "
    $ssl_client_s_dn
    $ssl_server_name
    $ssl_client_escaped_cert
    $ssl_client_cert
    $ssl_client_raw_cert";
}
}

使用作为 ngx_http_ssl_module 模块的一部分公开的嵌入变量 I可以访问 DN(专有名称),因此可以访问 CN 等,但我似乎无法访问 SAN.

Using the embedded variables exposed as part of the ngx_http_ssl_module module I can access the DN (Distinguished Name) and therefore CN etc but I don't seem to be able to get access to the SAN.

我是否缺少一些嵌入式 var/其他模块/通用 Nginx foo?我可以访问原始证书,那么是否可以手动解码并提取它?

Is there some embedded var / other module / general Nginx foo I'm missing? I can access the raw cert, so is it possible to decode that manually and extract it?

我真的宁愿在 Nginx 层执行此操作,而不是将证书向下传递到应用程序层并在那里执行.

I'd really rather do this at the Nginx layer as opposed to passing the cert down to the application layer and doing it there.

非常感谢任何帮助.

推荐答案

可以通过OpenResty + Lua-OpenSSL 实现,解析原始证书获取.

You can do it through OpenResty + Lua-OpenSSL and parse the raw certificate to get it.

参考:https://github.com/Seb35/nginx-ssl-variables/blob/master/COMPATIBILITY.md#ssl_client_s_dn_x509

就像这样:

local varibleName = string.match(require("openssl").x509.read(ngx.var.ssl_client_raw_cert):issuer():oneline(),"/C=([^/]+)")

这篇关于Nginx - 如何访问客户端证书的主题备用名称(SAN)字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-17 17:12