cosocket 还不支持发客户端SSL证书, 要实现与upstream做双向认证比较繁琐。
目前发起双向认证请求,我只好使用ngx.location.capture和代理实现,不知道有没有更好的方案呢?
另外,我发现“cosocket: add client SSL certificiate support.”已经在TODO中了,希望能早日实现。
附上:
目前双向认证实现方案,nginx配置中设置好代理,再通过 ngx.location.capture 间接访问。
配置:
location /proxy/wxpay/refund/ {
internal;
proxy_ssl_certificate /home/mike/project/cert/apiclient_cert.pem;
proxy_ssl_certificate_key /home/mike/project/cert/apiclient_key.pem;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;
proxy_pass_request_headers off;
proxy_connect_timeout 3s;
proxy_pass "https://api.mch.weixin.qq.com/secapi/pay/refund";
}
Lua:
...
local res = ngx.location.capture("/proxy/wxpay/refund/", {
method = ngx.HTTP_POST,
body = xmlstr,
})
...