On Sat, Mar 16, 2019 at 02:30:16PM -0400, WoMa wrote:

Hi there,

> I solved this problem maybe not elegantly but it works.

Good that you found a solution.

I think that what you describe is the way to do it -- nginx does the
client certificate authentication, and does not try to proxy that aspect.

> 3 ) In locations that require a certificate (/ polishapi and /
> identityserver), it is verified if the authentication was successful
> client's certificate, if not, error 403 is returned - access denied
>
> if ($ssl_client_verify != SUCCESS) {
> return 403;
> }

The only extra piece you could add, if the haproxy side wanted to know
which specific client certificate was used, would be to use some of the
variables listed around http://nginx.org/r/$ssl_client_i_dn in headers
sent to the upstream.

That's probably just an extra "nice-to-have", rather than a requirement,
of course.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx