Welcome! Log In Create A New Profile

Advanced

NGINX proxy to Ingress Controller with Client Certificate Authentication

Posted by bollicino 
NGINX proxy to Ingress Controller with Client Certificate Authentication
May 01, 2020 06:29PM
On my production env, I have a configuration with two Nginx and the communication between the two servers is secured with this config like this: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

INTERNET ---> NGINX reverse proxy ---TLS authentication---> NGINX upstream ---> Application

The conf work as expected, the upstream accept requests only by the trusted certificated.

But I need to migrate the upstream server from a bare metal server to a Kubernetes cluster on Azure Kubernetes Service. So, the conf on the server acting as a reverse proxy is unchanged and I migrate the config of the upstream to NGINX Ingress Controller.

I've deployed this image of the Ingress Controller: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

And configured the resource as follow:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-backend
namespace: dev
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "dev/my-cert"
nginx.ingress.kubernetes.io/auth-tls-error-page: "https://google.com"
spec:
tls:
- hosts:
- my-backend.my-domain
secretName: my-cert
rules:
- host: my-backend.my-domain
http:
paths:
- path: /
backend:
serviceName: my-backend-service
servicePort: http

And the secret called "my-cert" includes: ca.crt tls.crt tls.key imported from the NGINX upstream. https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication

Config in the NGINX reverse proxy unchanged:

location / {
set $upstream my-upstream;
proxy_pass https://$upstream$request_uri;
proxy_set_header Host my-backend.my-domain;
proxy_set_header X-Request-ID $request_id;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_certificate /etc/nginx/ssl/client.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/CA/CA.pem;
proxy_ssl_session_reuse on;
}

The first attempt to try the config was a curl request from the reverse proxy to the Ingress Controller passing the client certificate:

curl --cacert /etc/nginx/CA/CA.pem --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.pem https://my-backend.my-domain/health
{"status":"UP"}

It works!

But trying to send a request through the NGINX reverse proxy I'm redirected to google.com page, as configured in the Ingress Controller. This is note the expected behaviour because, so the NGINX reverse proxy is not able to authenticate to the Nginx ingress controller.

Someone can help me to fix the config and make the auth working?
Re: NGINX proxy to Ingress Controller with Client Certificate Authentication
May 01, 2020 06:59PM
Attacched the ingress controller logs
Attachments:
open | download - ingress.log (6.6 KB)
Re: NGINX proxy to Ingress Controller with Client Certificate Authentication
May 01, 2020 07:55PM
I need to enable SNI support on the NGINX client:
proxy_ssl_server_name on;
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 86
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready