Nginx proxy to back-end with SSL client certificate authentication

nginxPROXYssl-certificate

I have two servers, both have nginx. Server A is listening to 443 and is configured to authenticate with a Client SSL certificate.

Server B has an internal process that needs to communicate to Server A through nginx.

I'd like to configure Nginx on server B that will listen to 8080 (no encryption, since it's all local communication) and proxy_pass to ServerA:443.

The question is how do I inject a Client Certificate ? I didn't found any proxy_xxxx function that would do that.

I do know how to make an equivalent to that with socat, but my requirement is to use nginx.

Best Answer

Is it sufficient to have the client certificate details passed through?

You can add

proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;

to your config and then the certificate info is available to server B via a X-SSL-Cert header.

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

For anybody stumbling across this question that wants to use nginx you can set this up like any normal proxy, and to accept a self-signed certificate from the backend you need to provide the exported pem certificate (and perhaps a key) and set ssl verification off. For example:

...

server {
    listen       10.1.2.3:80;
    server_name  10.1.2.3 myproxy.mycompany.com;

    location / {
         proxy_pass                    https://backend.server.ip/;
         proxy_ssl_trusted_certificate /etc/nginx/sslcerts/backend.server.pem;
         proxy_ssl_verify              off;

         ... other proxy settings
    }

If your secure back end is using Server Name Identification SNI with multiple hosts being served per IP/Port pair you may also need to include proxy_ssl_server_name on; in the configuration. This works on nginx 1.7.0 and later.

SSL Proxy: Forwarding without the encryption

Pretty simple, really. You want a virtual host with encryption, then a proxy to a non-encrypted HTTP endpoint.

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine On
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/cert.key
    ProxyPass / http://localhost:9091/
    ProxyPassReverse / http://localhost:9091/
</VirtualHost>

Best Answer

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

SSL Proxy: Forwarding without the encryption

Related Topic