Welcome! Log In Create A New Profile

Advanced

Re: How to establish secure connection between NGINX <-> https upstream API

Francis Daly
March 13, 2020 09:32AM
On Thu, Mar 12, 2020 at 10:47:40PM -0700, satscreate wrote:

Hi there,

> https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#

> location /upstream {
> proxy_pass https://$upstream$request_uri;
> proxy_ssl_certificate /etc/nginx/client.pem;
> proxy_ssl_certificate_key /etc/nginx/client.key;

> proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

> What is below client.pem & client.key?
>
> is this the nginx client files which needs to be created and signed with CA?

The page you link to says

"""
Add the client certificate and the key that will be used to
authenticate NGINX on each upstream server with proxy_ssl_certificate
and proxy_ssl_certificate_key directives:
"""

and the documentation for those directives is at

http://nginx.org/r/proxy_ssl_certificate

Those files relate to the client certificate that nginx will offer to
the upstream server in order to identify itself.

> What is trusted_ca_cert.crt;?

http://nginx.org/r/proxy_ssl_trusted_certificate

That file allows nginx to verify that the certificate presented by the
upstream server, is one that nginx is willing to consider acceptable.

> Is this related to backend.example.com? how can i obtain this?

Yes; the Certificate Authority that signed the backend.example.com
certificate should make this available to anyone they want to trust them.

> But getting below exception when i hit the API.
>
> upstream SSL certificate verify error: (19:self signed certificate in
> certificate chain) while SSL handshaking to upstream, client: <user_ip>,
> server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream:
> "https://backend.example.com:443/getsomething", host: "nginx_server_ip"

I believe that that says that nginx (as the client) does not accept the
certificate provided by the server at backend.example.com; probably due
to nginx's proxy_ssl_trusted_certificate configuration not being what
it expects.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

How to establish secure connection between NGINX <-> https upstream API

satscreate March 13, 2020 01:48AM

Re: How to establish secure connection between NGINX <-> https upstream API

Francis Daly March 13, 2020 09:32AM

Re: How to establish secure connection between NGINX <-> https upstream API

satscreate March 14, 2020 09:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 79
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready