Nginx `proxy_ssl_trusted_certificate` 与 letsencrypt 上游

Question

我正在尝试将 proxy_pass 与 nginx 一起使用，其中与上游服务器的连接是加密的。上游服务器的证书已由 letsencrypt certbot 创建。

# upstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/upstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/upstream.example.com/privkey.pem; # managed by Certbot

    # ...
  }
}

当不在下游服务器验证代理证书时，一切正常。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify off;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

但是，如果我尝试在下游服务器上验证上游证书，我会收到一个上游 SSL 证书验证错误:(2:unable to get issuer certificate) while SSL handshaking to upstream 在 nginx 错误日志中。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/nginx/ssl/upstream.example.com/chain.pem;
    proxy_ssl_verify_depth 2;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

如果我尝试连接的上游服务器具有 letsencrypt 证书，我需要对 proxy_ssl_trusted_certificate 和 proxy_ssl_verify_depth 进行哪些设置？

我将 proxy_ssl_verify_depth 从 0 变为 5，并且我使用了上游服务器的 fullchain.pem、chain.pem，和 cert.pem 用于 proxy_ssl_trusted_certificate，但均未成功。

附加信息

使用 openssl 验证 CA 证书有效:

# openssl verify -verify_depth 2 chain.pem
chain.pem: OK

根据 CA 证书验证来自上游服务器的证书 fullchain.pem 有效:

# openssl verify -CAfile chain.pem fullchain.pem
fullchain.pem: OK

更多引用

• https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
• https://nginx.org/en/docs/http/ngx_http_proxy_module.html

Answer 1

letsencrypt 或上游服务器未提供 proxy_ssl_trusted_certificate 所需的 CA 证书。它已经安装在下游服务器上。

在 Ubuntu 上，CA 证书的位置是 /etc/ssl/certs/ca-certificates.crt。

# downstream server: nginx.conf

stream {
  server {
    listen 636 ssl;

    ssl_certificate /etc/letsencrypt/live/downstream.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/downstream.example.com/privkey.pem; # managed by Certbot

    proxy_ssl on;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    proxy_pass upstream.example.com:636;

    # ...

  }
}

文档

https://nginx.org/en/docs/http/ngx_http_proxy_module.html

proxy_ssl_verify on | off;

Enables or disables verification of the proxied HTTPS server certificate.

proxy_ssl_verify_depth number;

Sets the verification depth in the proxied HTTPS server certificates chain.

proxy_ssl_trusted_certificate file;

pecifies a file with trusted CA certificates in the PEM format used to verify the certificate of the proxied HTTPS server.

另见

• https://unix.stackexchange.com/a/484938/91720
• https://serverfault.com/a/1052976/167331