Welcome! Log In Create A New Profile

Advanced

Various errors while configuring nginx for certificate-based client auth

December 05, 2019 06:51AM
Hi guys,

I'm using nginx in form of container (docker.io/nginx), version 1.17.3-alpine
I'm trying to setup my nginx to do TLS auth and then forward packets to another host in the network.
As part of this I also have to support some probes that continuously monitor a secondary location, same server, same port.

This is my configuration

```
server {
listen 443 ssl;
server_name mydomain.com;

ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;

ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;

location = /healthz {
return 200 'the app is alive!';
}

location = / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}

proxy_pass http://other-host:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header SSL_Client $ssl_client_s_dn;
proxy_set_header SSL_Client_Verify $ssl_client_verify;
}
}
```

First of all, as soon as I load the configuration I get the following error:

```
2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
```

I find this if directive on any possible tutorial. I'm really not sure what's wrong here...

Also, even if I remove the if clause (just to see if otherwise it would work) I get another error:

```
2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in "proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
nginx: [emerg] invalid number of arguments in "proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
```

Even after removing all the entire `location = /` block (to see if at least the container starts and /healtz return 200), I still get the following error:

```
2019/12/05 11:43:30 [error] 8#8: *90 open() "/etc/nginx/html/healtz" failed (2: No such file or directory), client: 172.16.0.158, server: , request: "GET /healtz HTTP/1.1", host: "mydomain.com"
172.16.0.158 - - [05/Dec/2019:11:43:30 +0000] "GET /healtz HTTP/1.1" 404 153 "-" "Wget" "-"
172.16.56.6 - - [05/Dec/2019:11:43:40 +0000] "GET / HTTP/1.1" 404 153 "-" "-" "-"
```

Shouldn't the return directive (as written) simply return a 200 and the message, even if a page is not present?

Sorry if I posted in the same thread three different issues... I just thought it would have made sense to post them together.

Thank you,

-Luca
Subject Author Posted

Various errors while configuring nginx for certificate-based client auth

lucaprete December 05, 2019 06:51AM

Re: Various errors while configuring nginx for certificate-based client auth

Maxim Dounin December 05, 2019 08:02AM

Re: Various errors while configuring nginx for certificate-based client auth

lucaprete December 05, 2019 09:35AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready