Patch: Support for two way/mutual SSL authentication for upstream http proxy

Rohit Joshi rohit.c.joshi at gmail.com
Tue Aug 19 00:24:25 UTC 2014 

Patch:  Attached patch adds support for two way SSL authentication using
client certificate and key for upstream in http proxy
(ngx_http_proxy_module.c)

Use Case:
  At my company, we are using two way SSL authentication for communication
among all application servers. This is security (NPI/PCI) requirement due
to being a financial firm.

Currently we are using Oracle Service Bus (OSB) as a reverse proxy, client
authentication and upstream routing which I am planning to replace using
nginx.

In my prototype, I found that nginx doesn't support two way SSL
authentication for upstream proxy for which I have provided fix.

Patch details:

The logic is as below.


if proxy_ssl_trusted_certificate  is configured and
(proxy_ssl_client_certificate or proxy_ssl_client_certificate_key)
configured
   it logs warning for proxy_ssl_client_certificate or
proxy_ssl_client_certificate_key will be ignored.

if   proxy_ssl_trusted_certificate is configured then
    it use ssl_trusted_certificate for authentication
else if proxy_ssl_client_certificate  and
proxy_ssl_client_certificate_key configured,
   it uses both to do two way authentication
else
   logs error as either proxy_ssl_trusted_certificate  or
(proxy_ssl_client_certificate and proxy_ssl_client_certificate_key)
required.

Added following two new config parameters:


proxy_ssl_client_certificate  cert.pem;
proxy_ssl_client_certificate_key cert.key;


Please let me know if you have any questions

Thanks,
Rohit Joshi
-- 
This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/1dd7edab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngx_http_proxy_module.c.patch
Type: application/octet-stream
Size: 4792 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/1dd7edab/attachment.obj>

More information about the nginx-devel mailing list