tls – 微宇宙

ssl_preread是基于L4的反代方案，TLS SNI握手时客户端会提供域名，所以可以让Nginx在无需完成TLS握手的情况下，就根据域名进行后端服务器的选择。简单来讲，你只需要给后端服务器配置一个SSL证书，而提供反代功能的Nginx则无需配置。文档见此：http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

因为这是L4反代，所以通过“proxy_set_header”传递客户端IP的方法是行不通的。其实传递客户端IP的解决办法跟上一篇文章类似：L4(传输层)IP透明反向代理的实现(传递客户端真实IP)，nginx也是实现了IP_TRANSPARENT的：https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy#ip-transparency，所以，在server里面加上下面一行：

proxy_bind $remote_addr transparent;

1	proxy_bind $remote_addr transparent;

然后按前一篇文章的思路，对路由表进行配置即可。

提醒一下，ssl_preread是配置在stream block下的，放在别的地方，会提示：

nginx: [emerg] "ssl_preread" directive is not allowed here in /etc/nginx/nginx.conf

1	nginx: [emerg] "ssl_preread" directive is not allowed here in /etc/nginx/nginx.conf

所以正确的nginx.conf结构应该如下：

...
http {
    ...
    server {
        ...
    }
    server {
        ...
    }
    ...
}
...
stream {
    map $ssl_preread_server_name $name {
        backend.example.com      backend;
        default                  backend2;
    }

    upstream backend {
        server 192.168.0.1:12345;
        server 192.168.0.2:12345;
    }

    upstream backend2 {
        server 192.168.0.3:12345;
        server 192.168.0.4:12345;
    }

    server {
        listen      12346;
        proxy_pass  $name;
        proxy_bind $remote_addr transparent;
        ssl_preread on;
    }
}
...

...

http {

...

server {

...

}

server {

...

}

...

}

...

stream {

map $ssl_preread_server_name $name {

backend.example.com backend;

default backend2;

}

upstream backend {

server 192.168.0.1:12345;

server 192.168.0.2:12345;

}

upstream backend2 {

server 192.168.0.3:12345;

server 192.168.0.4:12345;

}

server {

listen 12346;

proxy_pass $name;

proxy_bind $remote_addr transparent;

ssl_preread on;

}

...

另外，如果在stream中listen了443，http中就无法listen 443了，启动nginx会提示：

nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

1	nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

可以让http中的server listen loopback地址的另一个端口，让stream中的server proxy_pass这个loopback地址的端口，例如127.0.2.1:8443，然后通过127.0.2.1做策略路由：

...
http {
    ...
    server {
        ...
        listen 127.0.2.1:8443 ssl http2;

        port_in_redirect off; # 重要：阻止nginx重定向到此Server listen的端口
        ...
    }
    server {
        ...
    }
    ...
}
...
stream {
    map $ssl_preread_server_name $name {
        localbackend.com         local_backend; # 这里指定使用http中的server
        backend.example.com      backend;
        default                  backend2;
    }

    upstream backend {
        server 192.168.0.1:12345;
        server 192.168.0.2:12345;
    }

    upstream backend2 {
        server 192.168.0.3:12345;
        server 192.168.0.4:12345;
    }

    # 对应http中的server
    upstream local_backend {
        server 127.0.2.1:443;
    }

    server {
        listen      443;
        proxy_pass  $name;
        proxy_bind $remote_addr transparent; # 加了这个才能传递客户端IP
        ssl_preread on;
    }
}
...

...

http {

...

server {

...

listen 127.0.2.1:8443 ssl http2;

port_in_redirect off; # 重要：阻止nginx重定向到此Server listen的端口

...

}

server {

...

}

...

}

...

stream {

map $ssl_preread_server_name $name {

localbackend.com local_backend; # 这里指定使用http中的server

backend.example.com backend;

default backend2;

}

upstream backend {

server 192.168.0.1:12345;

server 192.168.0.2:12345;

}

upstream backend2 {

server 192.168.0.3:12345;

server 192.168.0.4:12345;

}

# 对应http中的server

upstream local_backend {

server 127.0.2.1:443;

}

server {

listen 443;

proxy_pass $name;

proxy_bind $remote_addr transparent; # 加了这个才能传递客户端IP

ssl_preread on;

}

...

然后配置策略路由：

root@nginx:~# ip rule add from 127.0.2.1 lookup 61
root@nginx:~# ip route add local 0.0.0.0/0 dev lo table 61

1 2	root@nginx:~# ip rule add from 127.0.2.1 lookup 61 root@nginx:~# ip route add local 0.0.0.0/0 dev lo table 61

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

使用TLS连接libvirtd时，默认需要验证客户端是否拥有由CA签名的证书，详见libvirtd配置文件（/etc/libvirt/libvirtd.conf）：

# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1

# Flag to disable verification of client certificates

# Client certificate verification is the primary authentication mechanism.

# Any client which does not present a certificate signed by the CA

# will be rejected.

# Default is to always verify. Uncommenting this will disable

# verification - make sure an IP whitelist is set

#tls_no_verify_certificate = 1

取消此行的注释即可关闭此验证（当然你得启用其它身份认证途径）：

#tls_no_verify_certificate = 1

1	#tls_no_verify_certificate = 1

也可选择以让CA给客户端签发证书：

# 自行修改CA私钥与证书的路径
CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"
CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径
PKI_PREFIX="/tmp/client_pki/"
CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"
CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"
CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)
umask 0077
mkdir -p ${PKI_PREFIX}

# 生成客户端私钥
openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048
# 生成客户端CSR，根据自己需要自行修改subjects
openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}
# CA通过CSR签发证书，根据需要自行修改有效期
openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650
# 把CA证书放进去
cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端
# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

# 自行修改CA私钥与证书的路径

CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"

CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径

PKI_PREFIX="/tmp/client_pki/"

CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"

CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"

CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)

umask 0077

mkdir -p ${PKI_PREFIX}

# 生成客户端私钥

openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048

# 生成客户端CSR，根据自己需要自行修改subjects

openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}

# CA通过CSR签发证书，根据需要自行修改有效期

openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650

# 把CA证书放进去

cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端

# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

完成上面的操作后，把整个${PKI_PREFIX}目录打包到客户端服务器上，在libvirt connection uri上加上参数pkipath=${PKI_PREFIX}即可：

virsh --connect qemu+tls://LIBVIRT_SERVER_HOST/system?pkipath=${HOME}/libvirt-server-pki

1	virsh --connect qemu+tls://LIBVIRT_SERVER_HOST/system?pkipath=${HOME}/libvirt-server-pki

当然如果CA证书，客户端私钥以及证书都放在默认位置，可以不使用pkipath参数，详见References [1]。

References:

[1] https://libvirt.org/remote.html#Remote_URI_reference

标签： tls

Nginx ssl_preread传递客户端IP

libvirtd: virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.