Hello,
I've make nginx support TLS(Mutual Authentication), It's can be
work
and very cool. but i want have some detail log about exchange of digital
certificates. for example, the log have exchange success and client
digital
certificates information in this exchange action.
My system like: Broswer <--TLS--> Nginx 1.0.8 <--HTTP--> Tomcat
So, what can i do?
Thanks for your work.
=============== nginx.conf ================
server
{
listen 8889;
server_name 192.168.10.251;
index index.jsp index.html index.htm;
charset utf-8;
log_format tls_log '$remote_addr $remote_user [$time_local]
"$request"
$http_host '
'$status $upstream_status $body_bytes_sent
"$http_referer"
'
'"$http_user_agent" $ssl_protocol $ssl_cipher
$upstream_addr '
'$request_time $upstream_response_time';
access_log /usr/local/nginx/logs/http_8889_access.log tls_log;
#TLS start
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_client_certificate ssl/ca.crt ;
ssl_verify_client on;
ssl_protocols SSLv2 SSLv3 TLSv1;
#TLS end
#chunkin for XTOM
chunkin on;
error_page 411 = @my_411_error;
location @my_411_error {
chunkin_resume;
}
location ~ /mux-.+ {
proxy_pass http://192.168.10.123:8080;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
===========
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,235909,235909#msg-235909
on 2013-02-05 08:15
on 2013-02-05 09:00
Hi, i find way to show exchange of digital certificates information. i'm sorry, I did not read the document http://wiki.nginx.org/HttpSslModule ========ref========= Module ngx_http_ssl_module supports the following built-in variables: $ssl_cipher returns the cipher suite being used for the currently established SSL/TLS connection $ssl_client_serial returns the serial number of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection $ssl_client_s_dn returns the subject Distinguished Name (DN) of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection $ssl_client_i_dn returns the issuer DN of the client certificate for the currently established SSL/TLS connection — if applicable, i.e., if client authentication is activated in the connection $ssl_protocol returns the protocol of the currently established SSL/TLS connection — depending on the configuration and client available options it's one of SSLv2, SSLv3 or TLSv1 $ssl_session_id the Session ID of the established secure connection — requires Nginx version greater or equal to 0.8.20 $ssl_client_cert $ssl_client_raw_cert $ssl_client_verify takes the value "SUCCESS" when the client certificate is successfully verified Posted at Nginx Forum: http://forum.nginx.org/read.php?2,235909,235912#msg-235912
on 2013-02-05 09:10
My log format
log_format tls_log '$remote_addr $remote_user [$time_local] "$request"
$http_host '
'$status $upstream_status $body_bytes_sent
"$http_referer"
'
'"$http_user_agent" $upstream_addr
[$request_time/$upstream_response_time] '
'[SSL]: $ssl_protocol $ssl_cipher
SSL_CLIENT{Verify:$ssl_client_verify, Serial:$ssl_client_serial,
SDN:$ssl_client_s_dn, IDN:$ssl_client_i_dn}';
and, thank your work.
nginx is very cool.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,235909,235913#msg-235913
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.