我试图通过将上游服务器作为代理来终止NGINX上的SSL。
工作环境在本地。我已经用了所有的方法来抑制这个错误,但是就是不成功
NGINX配置
stream {
upstream stream_backend {
server localhost:5011;
}
server {
listen 80;
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/proxypool.crt;
ssl_certificate_key /etc/ssl/private/proxypool.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:20m;
}
}
生成证书的方式
sudo openssl req -x509 -nodes -days 9999 -newkey rsa:2048
-keyout /etc/ssl/private/proxypool.key
-out /etc/ssl/certs/proxypool.crt
*对所有提示的答案为空
我执行请求的方式
proxies = {
'http': 'http://localhost',
'https': 'https://localhost'
}
response = requests.post(
'https://api.ipify.org?format=json',
proxies=proxies,
verify="/etc/ssl/certs/proxypool.pem"
)
误差
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.ipify.org', port=443): Max retries exceeded with url: /?format=json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1131)')))
Things I tried with no success
- 通过
verify=False
。certificate verify failed: Hostname mismatch, certificate is not valid for 'localhost'
结果 - 使用SSL验证绕过上下文
将您的自签名证书添加到Python证书包中,通过以下命令检查它的位置:
>>> import certifi
>>> certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-
packages/certifi/cacert.pem'
并将证书添加到该文件的末尾。