All,

I am trying to use NGINX as reverse proxy for https backend servers


Client <-------> NGINX <-------> backend

NGINX proxy accepts only ssl connections on 443

Proxy's NGINX conf:

http {
server {
listen 443;
ssl on;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
# client certificate
ssl_client_certificate /etc/nginx/client_certs/ca.crt;

ssl_verify_client optional;

location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
add_header Front-End-Https on;
if ($host = 'secure_backend' ) {
proxy_pass https://https_backend:443;
}

if ($host = 'backend' ) {
proxy_pass http://http_backend;
}

proxy_redirect off;
proxy_ssl_verify off;
add_header Front-End-Https on;
proxy_cache off;

proxy_http_version 1.1;
proxy_read_timeout 90;
} # /location /
}

I can succefully:

http://backend (client authenticated with proxy and passed using http to backend)

http://secure_backend (client authenticated with proxy and passed using https to https_backend)


However I am unable to:

https://secure_backend

access log:
CONNECThttps_backend:443 HTTP/1.1" 400 182 "-" "-"

error log:
2018/06/03 18:32:22 [warn] 754#754: "ssl_stapling" ignored, issuer certificate not found
2018/06/03 18:32:27 [warn] 920#920: "ssl_stapling" ignored, issuer certificate not found
2018/06/03 18:32:27 [debug] 923#923: epoll add event: fd:8 op:1 ev:00002001
2018/06/03 18:32:27 [debug] 923#923: epoll add event: fd:10 op:1 ev:00002001


Any Ideads are appreciated.

BR
Itamar