Hi,

I've got a problem when setting up nginx as load balancer between two tomcats with mutual authentication.

The system is like: Tomcat1 <--https-> Nginx <--https--> Tomcat2.

Before adding nginx, the mutual authentication between tomcat1 and tomcat2 works fine, using cert/key and keystore/truststore. Now with nginx, links between tomcat1 and nginx is OK, but the SSL handshake between nginx and tomcat2 not work. Wonder how to assign the keystore/truststore stuff that needed when communicating with tomcat2, can't find related directive in nginx ssl module configuration.

Any idea for this? Thanks!

My nginx configuration is like:

upstream backend {
server 10.1.1.1:8443;
server 10.1.1.2:8443;
}

server {
listen 8443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_ciphers ALL:!ADH:!kEDH:!SSLv2:!EXPORT40:!EXP:!LOW;
ssl_verify_client on;
ssl_verify_depth 2;

location / {
proxy_pass https://backend;
}
}

And tomcat2 configuration is like:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="100"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.base}/conf/ssl/server.crt"
SSLCertificateKeyFile="${catalina.base}/conf/ssl/server.key"
SSLCACertificateFile="${catalina.base}/conf/ssl/ca.crt"
SSLCipherSuite="ALL:!ADH:!kEDH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLVerifyClient="require" />

And the error log is:
2013/07/23 20:25:11 [error] 18116#0: *1 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client ***