3.2 Upstream Encryption

Problem

You need to encrypt traffic between NGINX and the upstream ser‐

vice and set specific negotiation rules for compliance regulations or

if the upstream is outside of your secured network.

问题

需要在 NGINX 与 upstream 代理服务器之间依据具体规则构建安全通信。

Solution

Use the SSL directives of the HTTP proxy module to specify SSL

rules:

location / {
    proxy\_pass https://upstream.example.com;
    proxy\_ssl\_verify on;
    proxy\_ssl\_verify\_depth 2;
    proxy\_ssl\_protocols TLSv1.2;
}

These proxy directives set specific SSL rules for NGINX to obey. The

configured directives ensure that NGINX verifies that the certificate

and chain on the upstream service is valid up to two certificates

deep. The proxy_ssl_protocols directive specifies that NGINX will

only use TLS version 1.2. By default NGINX does not verify

upstream certificates and accepts all TLS versions.

解决方案

使用 http 模块的 ssl 指令构建具体的 SSL 通信规则:

location / {
    proxy\_pass https://upstream.example.com;
    proxy\_ssl\_verify on;
    proxy\_ssl\_verify\_depth 2;
    proxy\_ssl\_protocols TLSv1.2;
}

示例中配置了 NGINX 与代理服务器之间通信的 SSL 规则。首先启用安全传输校验功

能,并将 NGINX 与代理服务器之间的证书校验深度设置为 2 层。proxy_ssl_protocols

指令用于设置使用 TSL 1.2 版本协议,它的默认值是不会校验证书,并可以使用所有

版本 TLS 协议。

Discussion

The configuration directives for the HTTP proxy module are vast,

and if you need to encrypt upstream traffic, you should at least turn

on verification. You can proxy over HTTPS simply by changing the

protocol on the value passed to the proxy_pass directive. However,

this does not validate the upstream certificate. Other directives

available, such as proxy_ssl_certificate and proxy_ssl_certifi

cate_key, allow you to lock down upstream encryption for

enhanced security. You can also specify proxy_ssl_crl or a certificate

revocation list, which lists certificates that are no longer consid‐

ered valid. These SSL proxy directives help harden your system’s

communication channels within your own network or across the

public internet.

结论

HTTP proxy 模块的指令繁多,如果需要启用安全传输功能,至少也需要开启校验功能。

此外,我们还可以对 proxy_pass 指令设置协议,来实现 HTTPS 传输。不过,这种方

式不会对被代理服务器的证书进行校验。其它的指令,如 proxy_ssl_certificate 和

proxy_ssl_certificate_key 指令,用于配置被代理服务器待校验证书目录。另外,

还有 proxy_ssl_crl 和 无效证书列表功能,用于列出无需认证的证书。这些 proxy

模块的 SSL 指令能够助你构建安全的内部服务通信和互联网通信。

results matching ""

    No results matching ""