Welcome! Log In Create A New Profile


Inconsistent sending of client certs

Posted by bdmesh 
Inconsistent sending of client certs
November 03, 2016 03:52AM
We're having problems with getting NGINX to consistently send client certs. We have a scenario:

Caller -> NGINX1 -> NGINX2 -> Origin

In this scenario, NGINX1 is to pass a client cert to NGINX2. For testing, NGINX1 and NGINX2 were actually two different location blocks on the same local box (running in a alpine docker container) and the proxy target in the first location block was When we did that, our config of the first location block successfully sent client certs to the second location block and were validated.

However, when we moved change the proxy target in location 1 to an NGINX instance on another box instead, it stopped sending client certs (2nd location block had ssl_client_verify=="NONE"). The configuration of that second box was identical, and we know we had configuration at least generally correct as if we called it directly with our test tool (PAW) using the same client cert specified for NGINX1 to use, then NGINX reported "SUCCESS" for ssl_client_verify.

For some reason simply changing the proxy target of location block 1 seems to cause it to change behavior as it proxies on.... or at least that is the working theory. We're wondering if we somehow need to "install" the client cert on the host (alpine running in docker that is running on a coreos VM)... maybe the distinction is local vs external traffic. Or could it be something else?

Here's the stripped down basics of the server block file in question. Does anyone have any guidance on what might be happening? Thanks!

server {
listen 443 ssl;

server_name api.mytestservice.com;

ssl_certificate /etc/secrets/server.crt;
ssl_certificate_key /etc/secrets/server.key;
ssl_client_certificate /etc/secrets/cc-ca-chained.crt.pem;
ssl_crl /etc/secrets/crl.pem;
ssl_verify_client optional_no_ca;

-- we use a custom CA chain that we've installed, chain depth is never more than 3.
ssl_verify_depth 3;

proxy_ssl_certificate /etc/secrets/client-cert.crt;
proxy_ssl_certificate_key /etc/secrets/client-key.key;
proxy_ssl_session_reuse on;

location = /pointa {
--Use lua module to perform custom business logic on client certs.
--It's what checks the return values of ssl_client_verify and subject info.
access_by_lua_file /etc/myservice/lua/access.lua;

proxy_set_header Host $host;
proxy_pass; --This one sends client certs
-- proxy_pass https://api.secondhop.com/pointb; --This one fails to send on client certs

location = /pointb {
access_by_lua_file /etc/myservice/lua/access.lua;
content_by_lua '
ngx.say("<p>Made it!!!</p>")

Re: Inconsistent sending of client certs
November 04, 2016 08:14PM
So update - it's not internal to external. It appears to be that if I have two nginx instances with the same ssl profiles for server and cert and call between them, a client cert is not sent. But to any other target (even nginx with different profile), they do get sent. Why don't they send between themselves?

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 102
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 214 on March 20, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready