Nginx reverse proxy pass through client certificate

http-headershttpsnginxreverse-proxyssl

I'm trying to set up a load balancer via an Nginx reverse proxy. My application uses client certificates to authenticate clients. I would like my reverse proxy to forward the client certificate to my back-end servers. I have added this line to my reverse proxy's configuration to store the client certificate information in a custom HTTP header:

proxy_set_header X-SSL-CERT $ssl_client_cert

However, $ssl_client_cert uses multiple lines to store the certificate, and my back-end nginx server does not recognize this properly as one HTTP header. What is the best way to achieve forward my client certificates?

This question has been asked in 2013 on this forum, but so far no real solution: https://forum.nginx.org/read.php?2,236546,236546

Thanks!

Best Answer

So I have found a solution. I remove all newlines in the certificate and send them as a single HTTP Header from the proxy to the back-end, similar as explained here:

https://forum.nginx.org/read.php?2,236546,236546

In my back-end I reconstruct the certificate by adding a newline every 64 characters. The updated code for the reverse proxy is the following and works up to 26 lines:

map $ssl_client_raw_cert $a {
   "~^(-.*-\n)(?<st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $st;
}

server {
   location / {
      proxy_set_header X-cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;
      proxy_pass http://localhost:8000;
   }
}

(note that I have removed the variable starting with a number) While this solution is not ideal, it works for me at this moment. Another solution would be to only send the certificate's DN info, which is a single line. This does not work for me at this time, as I have not stored every DN in my database.

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

For anybody stumbling across this question that wants to use nginx you can set this up like any normal proxy, and to accept a self-signed certificate from the backend you need to provide the exported pem certificate (and perhaps a key) and set ssl verification off. For example:

...

server {
    listen       10.1.2.3:80;
    server_name  10.1.2.3 myproxy.mycompany.com;

    location / {
         proxy_pass                    https://backend.server.ip/;
         proxy_ssl_trusted_certificate /etc/nginx/sslcerts/backend.server.pem;
         proxy_ssl_verify              off;

         ... other proxy settings
    }

If your secure back end is using Server Name Identification SNI with multiple hosts being served per IP/Port pair you may also need to include proxy_ssl_server_name on; in the configuration. This works on nginx 1.7.0 and later.

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Best Answer

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

NGINX Reverse Proxy – URL Rewrite

Related Topic