Hello!

On Tue, Apr 28, 2015 at 05:17:32PM -0400, lieut_data wrote:

> I was excited to see proxy_ssl_certificate and friends land in Nginx 1.7.8,
> and decided to revisit Nginx as a candidate for proxy caching an upstream
> server requiring client authentication. I've included the debugging
> configuration I've been playing around with at the end of this post.
>
> This particular upstream server does not trigger client authentication for
> all endpoints. For example, I can issue
>
> -----
> http http://NGINX_PROXY_IP/test/path Host:UPSTREAM_SERVER
> -----
>
> and get back the proxied response without error. However, for endpoints that
> require client authentication (triggered by the server after it examines the
> request path), nginx never gets a response. I've verified that the upstream
> server is working as expected using both wget:

What nginx doesn't support (or, rather, explicitly forbids) is
renegotiation. On the other hand, renegotiation is required if
one needs to ask for a client certificate only for some URIs, so
it's likely used in your case. You should see something like "SSL
renegotiation disabled" in logs at notice level.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx