Welcome! Log In Create A New Profile

Advanced

nginx as reverse proxy with client ssl authentication

Posted by qsth 
nginx as reverse proxy with client ssl authentication
April 05, 2018 08:04AM
Hi,

I am using nginx 1.13.11 on Windows 10
I am trying to set up a reverse proxy for a HTTPS backend requiring client ssl authentication.

Tried this with the following config

---
worker_processes 1;


error_log logs/error.log debug;

events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;



sendfile on;

keepalive_timeout 65;

server {
listen 443 ssl;
server_name localhost;

ssl_certificate C:/data/nginx-1.13.11/conf/crt;
ssl_certificate_key C:/data/nginx-1.13.11/conf/key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location /path {
proxy_pass https://backend
proxy_ssl_certificate C:/data/nginx-1.13.11/conf/backend.crt;
proxy_ssl_certificate_key C:/data/nginx-1.13.11/conf/backend.key;
}

}

}
---

This does not work. Debug log of a request can be found in the attached file.

When accessing the backend directly with importing the backend cert+key into Firefox works out of the box.

I do not know what software the backend is using.

Using an own apache with client authentication as a backend for my nginx reverse proxy, this given config works.

I have no clue how to solve this. Maybe its an SSL Problem between the nginx and the backend?

Does anyone has a hint how to get it work or how to analyse the reason of not working?
Attachments:
open | download - nginx_debug.log (32.4 KB)
Re: nginx as reverse proxy with client ssl authentication
April 05, 2018 08:38AM
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy status 401 "401 Unauthorized"
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "X-message-code: PWD_WRONG"
2018/04/05 13:45:15 [debug] 2708#4940: *8 http proxy header: "WWW-Authenticate: Basic realm="Password""

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: nginx as reverse proxy with client ssl authentication
April 05, 2018 08:43AM
Yes. This is a specialty of the backend. It does a basic auth if client ssl auth does not work.

But getting this auth request means something went wrong before...
Re: nginx as reverse proxy with client ssl authentication
April 09, 2018 03:23AM
Ad addintional info because my question is maybe a bit confusing.
I want to do the reverser proxy doing the client-cert-auth. So the real clients can access the backend thru the reverse proxy without doing client-cert-auth on their own.
Re: nginx as reverse proxy with client ssl authentication
May 18, 2018 09:24AM
maybe if you're interested in the solution:

theres really nothing helpful in this logs.

After doing a traffic capture together with the backend provider, following was figured out.

Our Client Cert was signed by an intermediate certificate. The Backend checked against the root ca certificat.

So we need to send the intermediate certificat together with the client cert in a file included by proxy_ssl_certificate.

Just put both certificates together like

cat client.cert intermediate.cert > client+intermediate.cert

Than it worked.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 90
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready