We're having problems with getting NGINX to consistently send client certs. We have a scenario:
Caller -> NGINX1 -> NGINX2 -> Origin
In this scenario, NGINX1 is to pass a client cert to NGINX2. For testing, NGINX1 and NGINX2 were actually two different location blocks on the same local box (running in a alpine docker container) and the proxy target in the first location block was http://127.0.0.1/secondaryLocation. When we did that, our config of the first location block successfully sent client certs to the second location block and were validated.
However, when we moved change the proxy target in location 1 to an NGINX instance on another box instead, it stopped sending client certs (2nd location block had ssl_client_verify=="NONE"). The configuration of that second box was identical, and we know we had configuration at least generally correct as if we called it directly with our test tool (PAW) using the same client cert specified for NGINX1 to use, then NGINX reported "SUCCESS" for ssl_client_verify.
For some reason simply changing the proxy target of location block 1 seems to cause it to change behavior as it proxies on.... or at least that is the working theory. We're wondering if we somehow need to "install" the client cert on the host (alpine running in docker that is running on a coreos VM)... maybe the distinction is local vs external traffic. Or could it be something else?
Here's the stripped down basics of the server block file in question. Does anyone have any guidance on what might be happening? Thanks!
server {
listen 443 ssl;
server_name api.mytestservice.com;
ssl_certificate /etc/secrets/server.crt;
ssl_certificate_key /etc/secrets/server.key;
ssl_client_certificate /etc/secrets/cc-ca-chained.crt.pem;
ssl_crl /etc/secrets/crl.pem;
ssl_verify_client optional_no_ca;
-- we use a custom CA chain that we've installed, chain depth is never more than 3.
ssl_verify_depth 3;
proxy_ssl_certificate /etc/secrets/client-cert.crt;
proxy_ssl_certificate_key /etc/secrets/client-key.key;
proxy_ssl_session_reuse on;
location = /pointa {
--Use lua module to perform custom business logic on client certs.
--It's what checks the return values of ssl_client_verify and subject info.
access_by_lua_file /etc/myservice/lua/access.lua;
proxy_set_header Host $host;
proxy_pass https://127.0.0.1/pointb; --This one sends client certs
-- proxy_pass https://api.secondhop.com/pointb; --This one fails to send on client certs
}
location = /pointb {
access_by_lua_file /etc/myservice/lua/access.lua;
content_by_lua '
ngx.say("<p>Made it!!!</p>")
';
}
}
