* nginx_mtls-only-client1: CN=client1만 허용하는 mTLS nginx
Makefile에 정의된 certs job을 실행합니다.
docker compose로 컨테이너 3개 실행
nginx_tls: tls통신하는 nginx
nginx_tls: mTLS통신하는 nginx
$ docker compose up -d
[+] Running 3/3
✔ Container nginx_mtls
✔ Container nginx_tls
✔ Container nginx_mtls-only-client1
$ curl --resolve ' myserver.com:8880:127.0.0.1' < ! DOCTYPE html>
< html>
< head>
< title> Welcome to nginx! < /title> $ curl --resolve ' myserver.com:8881:127.0.0.1' < html>
< head><title> 400 No required SSL certificate was sent< /title></head>
< body>
< center><h1> 400 Bad Request< /h1></center>
< center> No required SSL certificate was sent< /center>
< hr><center> nginx/1.27.4< /center>
< /body>
< /html> $ curl --cert ./certs/client1.crt --key ./certs/client1.key --cacert ./certs/ca.crt --resolve ' myserver.com:8881:127.0.0.1' < ! DOCTYPE html>
< html>
< head>
< title> Welcome to nginx! < /title> $ curl --cert ./certs/client2.crt --key ./certs/client2.key --cacert ./certs/ca.crt --resolve ' myserver.com:8881:127.0.0.1' < ! DOCTYPE html>
< html>
< head>
< title> Welcome to nginx! < /title> mTLS가 적용된 nginx에 클라이언트 인증서 필터링
client1 인증서는 허용하고 client2 인증서는 거부
인증서 OU필드에 allowed일때만 허용
파일링크
map $ssl_client_s_dn $client_allowed {
default 0;
~OU=allowed 1;
}
$ curl --cert ./certs/client1.crt --key ./certs/client1.key --cacert ./certs/ca.crt --resolve ' myserver.com:8882:127.0.0.1' < ! DOCTYPE html>
< html>
< head>
< title> Welcome to nginx! < /title> $ curl --cert ./certs/client2.crt --key ./certs/client2.key --cacert ./certs/ca.crt --resolve ' myserver.com:8882:127.0.0.1' < html>
< head><title> 403 Forbidden< /title></head>
< body>
< center><h1> 403 Forbidden< /h1></center>
< hr><center> nginx/1.27.4< /center>
< /body>
< /html>
