Welcome! Log In Create A New Profile

Advanced

Re: proxy_ssl_certificate not working as expected

Maxim Dounin
March 16, 2016 04:14PM
Hello!

On Sun, Mar 13, 2016 at 07:24:05AM -0400, elanh wrote:

> Hello,
>
> I'm using nginx as a proxy to a backend server.
> The backend server is also using nginx and enforcing client certificate
> authentication using the ssl_client_certificate and ssl_verify_client
> directives.
>
> In my nginx server I set the following:
>
> location /proxy {
> proxy_pass https://www.backend.com;
>
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> proxy_ssl_certificate /etc/nginx/cert/client.crt;
> proxy_ssl_certificate_key /etc/nginx/cert/client.key;
> }
>
> according to
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate.
>
> However, the backend is still responding with a 400 reponse code "No
> required SSL certificate was sent".
>
> Note that when issuing requests to the backend server using wget with the
> client certificate, I get a valid 200 OK response.
>
> What am I missing in my nginx configuration?

Configuration looks fine, but likely it's not a configuration
which is used to handle the requests. Some basic hints:

- make sure to test with something low level like
telnet/curl/wget, browsers often return cached results;

- check if the configuration is actually loaded (you can use "nginx -t"
to check for syntax errors; look into error log after a
configuration reload to make sure reload went fine; just stop and
then start nginx to make sure);

- make sure the location you are configuring is one used for
requests (a simple test would be to write something like
"return 200 ok;" in it and check if "ok" is actually returned).

Note well that proxy_ssl_certificate is only available in nginx
1.7.8 and newer. Configuration testing as done by "nginx -t"
should complain about unknown directives if you are using an older
version.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_ssl_certificate not working as expected

elanh March 13, 2016 07:24AM

Re: proxy_ssl_certificate not working as expected

Maxim Dounin March 16, 2016 04:14PM

Re: proxy_ssl_certificate not working as expected

elanh March 28, 2016 06:11AM

Re: proxy_ssl_certificate not working as expected

elanh March 28, 2016 06:44AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 76
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready