Welcome! Log In Create A New Profile

Re: How to establish secure connection between NGINX <-> https upstream API

Forum List Message List New Topic Print View

Francis Daly

March 13, 2020 09:32AM

On Thu, Mar 12, 2020 at 10:47:40PM -0700, satscreate wrote:

Hi there,

> https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#

> location /upstream {
> proxy_pass https://$upstream$request_uri;
> proxy_ssl_certificate /etc/nginx/client.pem;
> proxy_ssl_certificate_key /etc/nginx/client.key;

> proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

> What is below client.pem & client.key?
>
> is this the nginx client files which needs to be created and signed with CA?

The page you link to says

"""
Add the client certificate and the key that will be used to
authenticate NGINX on each upstream server with proxy_ssl_certificate
and proxy_ssl_certificate_key directives:
"""

and the documentation for those directives is at

http://nginx.org/r/proxy_ssl_certificate

Those files relate to the client certificate that nginx will offer to
the upstream server in order to identify itself.

> What is trusted_ca_cert.crt;?

http://nginx.org/r/proxy_ssl_trusted_certificate

That file allows nginx to verify that the certificate presented by the
upstream server, is one that nginx is willing to consider acceptable.

> Is this related to backend.example.com? how can i obtain this?

Yes; the Certificate Authority that signed the backend.example.com
certificate should make this available to anyone they want to trust them.

> But getting below exception when i hit the API.
>
> upstream SSL certificate verify error: (19:self signed certificate in
> certificate chain) while SSL handshaking to upstream, client: <user_ip>,
> server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream:
> "https://backend.example.com:443/getsomething", host: "nginx_server_ip"

I believe that that says that nginx (as the client) does not accept the
certificate provided by the server at backend.example.com; probably due
to nginx's proxy_ssl_trusted_certificate configuration not being what
it expects.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
How to establish secure connection between NGINX <-> https upstream API	satscreate	March 13, 2020 01:48AM
Re: How to establish secure connection between NGINX <-> https upstream API	Francis Daly	March 13, 2020 09:32AM
Re: How to establish secure connection between NGINX <-> https upstream API	satscreate	March 14, 2020 09:38AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 232

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018