Maxim Dounin
February 24, 2013 01:02PM
Hello!

On Sun, Feb 24, 2013 at 09:41:38AM -0500, jstrybis wrote:

> Hello,
>
> I am having an issue while verifying client SSL certificates. Everything
> works fine until I attempt to forward the cert onto the upstream.
>
> Once I add a line similar to the following in my location block, all
> requests become an error 400 Bad Request.
> > proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
> (I've also tried $ssl_client_raw_cert, but the docs say "[$ssl_client_cert]
> is intended for the use in the proxy_set_header directive;"
>
> Here is my entire location block:
> location @unicorn {
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header Host $http_host;
> proxy_redirect off;
> proxy_pass http://unicorn;
> }
>
> Originally I was using add_header X-SSL-Client-Cert in the server block,
> which did not throw a 400, but my upstream app was not seeing the header.
>
> Once I remove the proxy_set_header line, the server works as expected:
> requests with a valid cert get passed through while unauthenticated requests
> get a 403. (This is done by checking $ssl_client_verify).
>
> Am I missing something obvious? Any help would be very appreciated. Thank
> you.

The $ssl_client_cert variable abuses header continuation, and this
doesn't work with many http servers (including nginx itself).
There should be more portable way to pass client certificate to an
upstream server.

--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Problem with proxy_set_header $ssl_client_cert

jstrybis February 24, 2013 09:41AM

Re: Problem with proxy_set_header $ssl_client_cert

Maxim Dounin February 24, 2013 01:02PM

Re: Problem with proxy_set_header $ssl_client_cert

Lynoure February 25, 2013 09:37AM

Re: Problem with proxy_set_header $ssl_client_cert

Sergey Budnevitch February 25, 2013 04:00PM

Re: Problem with proxy_set_header $ssl_client_cert

Lynoure February 26, 2013 06:27AM

Re: Problem with proxy_set_header $ssl_client_cert

jstrybis February 25, 2013 05:00PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 63
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready