AWS API-Gateway 客户端身份验证和 NGINX

Question

目前我尝试使用 NGINX 后端服务器实现 AWS API Gateway 客户端身份验证。我想阻止对我的 api 的访问，除了 AWS API-Gateway。我在 AWS API Gateway 控制台（PEM 编码）上创建了一个客户端证书，并按如下方式设置了我的虚拟主机配置。我已经在使用 CA 签名的通配符证书来访问子域。

server {
    listen 443;
    server_name api.example.com;

    if ($bad_client) { return 403; }

    root /usr/share/nginx/api.example.com/public;
        index index.php;

    ssl on;
    ssl_stapling on;
    ssl_trusted_certificate aws-cert.pem;
    ssl_verify_client on;


    ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/private.key;
    ssl_session_timeout 10m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    error_page 404 /404.html;
    location  /404.html {
        internal;
    }


    location / {
        try_files $uri.html $uri $uri/ =404;
    }

    location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PHP_VALUE "error_log=/var/log/php5-fpm.log";
    }


    location ~ /\.ht {
         deny  all;
     }
}

我收到以下错误消息，整个 nginx 服务不再可用。亚马逊的文档不是很有帮助。我做错了什么？

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

 [emerg] 19636#0: no ssl_client_certificate for ssl_client_verify

Answer 1

为了让 Nginx 验证客户端，你需要告诉它客户端将使用哪个证书。在我的配置中，我有：

# Client auth via certs
ssl_client_certificate /etc/nginx/ssl/cert.pem;
ssl_trusted_certificate /etc/nginx/ssl/cert.pem;
ssl_verify_client on;

我不太清楚ssl_client_certificate 和ss_trusted_certificate 指令之间的区别；也许其他人可以解释一下。

Docs here.