Patch: Attached patch adds support for two way SSL authentication using
client certificate and key for upstream in http proxy
(ngx_http_proxy_module.c)

Use Case:
At my company, we are using two way SSL authentication for communication
among all application servers. This is security (NPI/PCI) requirement due
to being a financial firm.

Currently we are using Oracle Service Bus (OSB) as a reverse proxy, client
authentication and upstream routing which I am planning to replace using
nginx.

In my prototype, I found that nginx doesn't support two way SSL
authentication for upstream proxy for which I have provided fix.

Patch details:

The logic is as below.


if proxy_ssl_trusted_certificate is configured and
(proxy_ssl_client_certificate or proxy_ssl_client_certificate_key)
configured
it logs warning for proxy_ssl_client_certificate or
proxy_ssl_client_certificate_key will be ignored.

if proxy_ssl_trusted_certificate is configured then
it use ssl_trusted_certificate for authentication
else if proxy_ssl_client_certificate and
proxy_ssl_client_certificate_key configured,
it uses both to do two way authentication
else
logs error as either proxy_ssl_trusted_certificate or
(proxy_ssl_client_certificate and proxy_ssl_client_certificate_key)
required.

Added following two new config parameters:


proxy_ssl_client_certificate cert.pem;
proxy_ssl_client_certificate_key cert.key;


Please let me know if you have any questions

Thanks,
Rohit Joshi
--
This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel