I am a newbie to Nginx. We plan to use nginx as a reverse proxy to tomcat and node js on our systems. We plan to use MTLS to secure server to server communication (between nginx on different servers). An additional requirement is that we have to match the client certificate CN with an existing entry in /etc/hosts. What would be the simplest mechanism to do this? HttpPerlModule? Uwsgi?
Below is the config we have used to prototype nginx as reverse proxy with MTLS.

server {

listen 443 ssl;

server_name localhost;



error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/share/nginx/html;

}



#SSL Certs

#SSL Certs

ssl_certificate /etc/nginx/locations.d/b7k-vma170.crt;

ssl_certificate_key /etc/nginx/locations.d/b7k-vma170.key;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers RC4:HIGH:!aNULL:!MD5:AES128-SHA:AES256-SHA:RC4-SHA:@STRENGTH;

ssl_client_certificate /etc/nginx/locations.d/root-ca.crt;

ssl_verify_client on;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;



keepalive_timeout 70;



include /etc/nginx/locations.d/*.conf;

include /var/nginx/locations.d/*.conf;

deny all;
}
ip-allow.conf contents

allow 10.94.12.148;

allow 10.94.12.165;

deny all;


webapps.conf contents

location / {

root /var/lib/tomcat/webapps;

proxy_pass http://127.0.0.1:8082;



proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-Proto https;

proxy_redirect off;



proxy_connect_timeout 1200;

proxy_send_timeout 1200;

proxy_read_timeout 1200;

}

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx