Patch: Support for two way/mutual SSL authentication for upstream http proxy

Rohit Joshi rohit.c.joshi at
Tue Aug 19 00:24:25 UTC 2014

Patch:  Attached patch adds support for two way SSL authentication using
client certificate and key for upstream in http proxy

Use Case:
  At my company, we are using two way SSL authentication for communication
among all application servers. This is security (NPI/PCI) requirement due
to being a financial firm.

Currently we are using Oracle Service Bus (OSB) as a reverse proxy, client
authentication and upstream routing which I am planning to replace using

In my prototype, I found that nginx doesn't support two way SSL
authentication for upstream proxy for which I have provided fix.

Patch details:

The logic is as below.

if proxy_ssl_trusted_certificate  is configured and
(proxy_ssl_client_certificate or proxy_ssl_client_certificate_key)
   it logs warning for proxy_ssl_client_certificate or
proxy_ssl_client_certificate_key will be ignored.

if   proxy_ssl_trusted_certificate is configured then
    it use ssl_trusted_certificate for authentication
else if proxy_ssl_client_certificate  and
proxy_ssl_client_certificate_key configured,
   it uses both to do two way authentication
   logs error as either proxy_ssl_trusted_certificate  or
(proxy_ssl_client_certificate and proxy_ssl_client_certificate_key)

Added following two new config parameters:

proxy_ssl_client_certificate  cert.pem;
proxy_ssl_client_certificate_key cert.key;

Please let me know if you have any questions

Rohit Joshi
This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngx_http_proxy_module.c.patch
Type: application/octet-stream
Size: 4792 bytes
Desc: not available
URL: <>

More information about the nginx-devel mailing list