Nat*_*tim 9 django nginx x509certificate x509
我想使用X509客户端身份验证进行安全的API访问.
X509证书由我们的CA(memberca)生成.
目的是:
我想,我可以直接在Nginx配置中管理它.我该怎么办?
我可以用Django做到吗?那我该怎么办呢?我可以使用任一解决方案向用户提供证书吗?
例如,Nginx可以使用WSGI标头映射一些证书数据,以便我可以匹配我的用户吗?
我已经配置了类似的设置.
首先,我使用Apache2来验证用户身份.
您需要启用mod_ssl,并且必须定义(全局):
现在您的服务器已准备好验证客户端X.509证书.
如果您不想将apache2用作正面Web服务器,则可以通过启用mod_proxy将其配置为反向代理.
你只需要像这样定义一个虚拟主机:
<VirtualHost *:443>
ServerName test.example.com:443
ServerAdmin webmaster@example.com
RequestHeader set Front-End-Https "On"
# Here I define two headers, Auth-User and Remote-User
# They will contain the key SSL_CLIENT_S_DN_CN which is the name of the
# client certificate's owner.
<If "-n %{SSL_CLIENT_S_DN_CN}">
# If the key doesn't exist, it means that the certificate wasn't sent or
# it was revoked.
RequestHeader set Auth-User "%{SSL_CLIENT_S_DN_CN}s"
RequestHeader set Remote-User "%{SSL_CLIENT_S_DN_CN}s"
</If>
# Now enable SSL, and SSL via the proxy
SSLEngine on
SSLProxyEngine on
## Require a client certificate
# SSLVerifyClient require
## NB: I prefer set it to optional, in order to allow the user
## to connect to my application with a degraded mode (login+password)
## It's easy to detect if the user was authenticated by apache by looking
## at HTTP_AUTH_USER or HTTP_REMOTE_USER
SSLVerifyClient optional
# Maximum depth of CA Certificates in Client Certificate verification
SSLVerifyDepth 4
# Now, I pass all of this to my application, which is runned in nginx for example :
<Location />
ProxyPass http://<applciation host>
ProxyPassReverse http://<applciation host>
ProxyPreserveHost on
# Send all informations about the client/server certificates to the application
SSLOptions +StdEnvVars +ExportCertData
</Location>
</VirtualHost>
现在,使用django,您只需启用此处所述的远程身份验证后端.
从客户端证书中提取的所有信息都将发送到应用程序,因此使用请求对象(和/或中间件)可以使用它们.
我希望它对你有帮助.
| 归档时间: |
|
| 查看次数: |
3893 次 |
| 最近记录: |