Maxim Dounin
February 24, 2013 01:02PM

On Sun, Feb 24, 2013 at 09:41:38AM -0500, jstrybis wrote:

> Hello,
> I am having an issue while verifying client SSL certificates. Everything
> works fine until I attempt to forward the cert onto the upstream.
> Once I add a line similar to the following in my location block, all
> requests become an error 400 Bad Request.
> > proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
> (I've also tried $ssl_client_raw_cert, but the docs say "[$ssl_client_cert]
> is intended for the use in the proxy_set_header directive;"
> Here is my entire location block:
> location @unicorn {
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header Host $http_host;
> proxy_redirect off;
> proxy_pass http://unicorn;
> }
> Originally I was using add_header X-SSL-Client-Cert in the server block,
> which did not throw a 400, but my upstream app was not seeing the header.
> Once I remove the proxy_set_header line, the server works as expected:
> requests with a valid cert get passed through while unauthenticated requests
> get a 403. (This is done by checking $ssl_client_verify).
> Am I missing something obvious? Any help would be very appreciated. Thank
> you.

The $ssl_client_cert variable abuses header continuation, and this
doesn't work with many http servers (including nginx itself).
There should be more portable way to pass client certificate to an
upstream server.

Maxim Dounin

nginx mailing list
Subject Author Posted

Problem with proxy_set_header $ssl_client_cert

jstrybis February 24, 2013 09:41AM

Re: Problem with proxy_set_header $ssl_client_cert

Maxim Dounin February 24, 2013 01:02PM

Re: Problem with proxy_set_header $ssl_client_cert

Lynoure February 25, 2013 09:37AM

Re: Problem with proxy_set_header $ssl_client_cert

Sergey Budnevitch February 25, 2013 04:00PM

Re: Problem with proxy_set_header $ssl_client_cert

Lynoure February 26, 2013 06:27AM

Re: Problem with proxy_set_header $ssl_client_cert

jstrybis February 25, 2013 05:00PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready