ProxySSL with client certificate - error redirection problem

adileso nginx-forum at nginx.us
Mon Sep 21 16:46:03 MSD 2009


Hi all,

I have published an internal web site with HTTPS and set the ssl_verify_client on. I need some fields from the client certificate to send them to the back-end web server, so I can correctly access a specific database.

It's working but I also need to redirect the client to a second internal website in case his certificate is missing or is invalid.
I have tried to capture the error page that I've got in the browser (when I don't send a client certificate) and put a redirect link in that error page.  The second website will generate the client certificates based on a user and password. 

I am trying to avoid to give 2 separate links to the client (one for the client certificate generation and one for database access)
Any suggestions? I've tried also to do this with apache ssl_error_module with no luck.
Thanks in advance.


server {
    listen      8443;
    ssl                  on;
    ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
    ssl_certificate_key  /etc/httpd/ssl/server.key;
    ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    ssl_verify_client       on;
    ssl_verify_depth 5;

    error_page 400  /400.html;
        location  /400.html {
        root  /usr/share/nginx/html;
        }

    access_log  /var/log/nginx/proxy.access.log  main;
    error_log  /var/log/nginx/proxy.error.log  debug;

    location / {
        proxy_pass      http://10.20.0.15:80; proxy_buffering on;
        proxy_set_header    Subject    $ssl_client_s_dn;
        proxy_set_header    Issuer     $ssl_client_i_dn;
        proxy_set_header    SerialNumber     $ssl_client_serial;
        client_max_body_size 10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout 15;
        proxy_intercept_errors on;
       }
}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,8120,8120#msg-8120






More information about the nginx mailing list