nginx as reverse proxy with client ssl authentication
Posted by qsth
|
nginx as reverse proxy with client ssl authentication April 05, 2018 08:04AM |
Registered: 6 years ago Posts: 4 |
Hi,
I am using nginx 1.13.11 on Windows 10
I am trying to set up a reverse proxy for a HTTPS backend requiring client ssl authentication.
Tried this with the following config
---
worker_processes 1;
error_log logs/error.log debug;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate C:/data/nginx-1.13.11/conf/crt;
ssl_certificate_key C:/data/nginx-1.13.11/conf/key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /path {
proxy_pass https://backend
proxy_ssl_certificate C:/data/nginx-1.13.11/conf/backend.crt;
proxy_ssl_certificate_key C:/data/nginx-1.13.11/conf/backend.key;
}
}
}
---
This does not work. Debug log of a request can be found in the attached file.
When accessing the backend directly with importing the backend cert+key into Firefox works out of the box.
I do not know what software the backend is using.
Using an own apache with client authentication as a backend for my nginx reverse proxy, this given config works.
I have no clue how to solve this. Maybe its an SSL Problem between the nginx and the backend?
Does anyone has a hint how to get it work or how to analyse the reason of not working?
I am using nginx 1.13.11 on Windows 10
I am trying to set up a reverse proxy for a HTTPS backend requiring client ssl authentication.
Tried this with the following config
---
worker_processes 1;
error_log logs/error.log debug;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate C:/data/nginx-1.13.11/conf/crt;
ssl_certificate_key C:/data/nginx-1.13.11/conf/key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /path {
proxy_pass https://backend
proxy_ssl_certificate C:/data/nginx-1.13.11/conf/backend.crt;
proxy_ssl_certificate_key C:/data/nginx-1.13.11/conf/backend.key;
}
}
}
---
This does not work. Debug log of a request can be found in the attached file.
When accessing the backend directly with importing the backend cert+key into Firefox works out of the box.
I do not know what software the backend is using.
Using an own apache with client authentication as a backend for my nginx reverse proxy, this given config works.
I have no clue how to solve this. Maybe its an SSL Problem between the nginx and the backend?
Does anyone has a hint how to get it work or how to analyse the reason of not working?
|
Re: nginx as reverse proxy with client ssl authentication April 05, 2018 08:38AM |
Admin Registered: 11 years ago Posts: 1,297 |
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy status 401 "401 Unauthorized"
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "X-message-code: PWD_WRONG"
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "WWW-Authenticate: Basic realm="Password""
---
nginx for Windows http://nginx-win.ecsds.eu/
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "X-message-code: PWD_WRONG"
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "WWW-Authenticate: Basic realm="Password""
---
nginx for Windows http://nginx-win.ecsds.eu/
|
Re: nginx as reverse proxy with client ssl authentication April 05, 2018 08:43AM |
Registered: 6 years ago Posts: 4 |
|
Re: nginx as reverse proxy with client ssl authentication April 09, 2018 03:23AM |
Registered: 6 years ago Posts: 4 |
|
Re: nginx as reverse proxy with client ssl authentication May 18, 2018 09:24AM |
Registered: 6 years ago Posts: 4 |
maybe if you're interested in the solution:
theres really nothing helpful in this logs.
After doing a traffic capture together with the backend provider, following was figured out.
Our Client Cert was signed by an intermediate certificate. The Backend checked against the root ca certificat.
So we need to send the intermediate certificat together with the client cert in a file included by proxy_ssl_certificate.
Just put both certificates together like
cat client.cert intermediate.cert > client+intermediate.cert
Than it worked.
theres really nothing helpful in this logs.
After doing a traffic capture together with the backend provider, following was figured out.
Our Client Cert was signed by an intermediate certificate. The Backend checked against the root ca certificat.
So we need to send the intermediate certificat together with the client cert in a file included by proxy_ssl_certificate.
Just put both certificates together like
cat client.cert intermediate.cert > client+intermediate.cert
Than it worked.
Sorry, only registered users may post in this forum.
Online Users
Guests:
170
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|