"Nginx 双向 TLS(mTLS) 客户端证书校验配置"

Nginx 双向 TLS(mTLS) 客户端证书校验配置基本配置server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_client_certificate /etc/nginx/certs/ca_bundle.crt; ssl_verify_client on; ssl_verify_depth 2; location /api/ { proxy_pass http://127.0.0.1:7001; } } 可选增强启用 OCSP Stapling：`ssl_stapling on; ssl_stapling_verify on;`限制协议与套件：`ssl_protocols TLSv1.2 TLSv1.3;`验证要点使用有效的客户端证书访问，未提供或校验失败应返回 400/401通过日志确认证书主题与指纹总结mTLS 能在传输层完成双向身份验证，适合内外部接口的强保护场景。