Welcome! Log In Create A New Profile

Advanced

Problem with proxy_set_header $ssl_client_cert

February 24, 2013 09:41AM
Hello,

I am having an issue while verifying client SSL certificates. Everything works fine until I attempt to forward the cert onto the upstream.

Once I add a line similar to the following in my location block, all requests become an error 400 Bad Request.
> proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
(I've also tried $ssl_client_raw_cert, but the docs say "[$ssl_client_cert] is intended for the use in the proxy_set_header directive;"

Here is my entire location block:
location @unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}

Originally I was using add_header X-SSL-Client-Cert in the server block, which did not throw a 400, but my upstream app was not seeing the header.

Once I remove the proxy_set_header line, the server works as expected: requests with a valid cert get passed through while unauthenticated requests get a 403. (This is done by checking $ssl_client_verify).

Am I missing something obvious? Any help would be very appreciated. Thank you.
SubjectAuthorPosted

Problem with proxy_set_header $ssl_client_cert

jstrybisFebruary 24, 2013 09:41AM

Re: Problem with proxy_set_header $ssl_client_cert

Maxim DouninFebruary 24, 2013 01:02PM

Re: Problem with proxy_set_header $ssl_client_cert

LynoureFebruary 25, 2013 09:37AM

Re: Problem with proxy_set_header $ssl_client_cert

Sergey BudnevitchFebruary 25, 2013 04:00PM

Re: Problem with proxy_set_header $ssl_client_cert

LynoureFebruary 26, 2013 06:27AM

Re: Problem with proxy_set_header $ssl_client_cert

jstrybisFebruary 25, 2013 05:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 93
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready