ProxySSL with client certificate - error redirection problem

Igor Sysoev is at rambler-co.ru
Tue Sep 22 14:20:44 MSD 2009 

On Tue, Sep 22, 2009 at 05:45:27AM -0400, adileso wrote:

> Thank you very much Igor,
> 
> Your setup is working fine if I do reverse proxy on http.
> Because I needed to redirect the error to a https page, I have modified the setup by creating another proxy ssl instance, where I didn't asked for ssl_verify_client.

You do not need an external redirect for this:

     error_page   495  496  /certsrv;

     location = /certsrv {
         proxy_pass      https://internal.web.server;
         ...
     }

> My setup is working now, even if I don't use the standard SSL port. Any other suggestions for it?
> Here it is, for any other interested:
> 
> 
> 
> # HTTPS server configuration
> #
> 
> server {
>     listen      443;
> 
>     ssl                  on;
>     ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
>     ssl_certificate_key  /etc/httpd/ssl/server.key;
>     ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
>     ssl_session_timeout  5m;
>     ssl_protocols  SSLv2 SSLv3 TLSv1;
>     ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>     ssl_prefer_server_ciphers   on;
>     ssl_verify_client       on;
>     ssl_verify_depth 5;
> 
> 
>      error_page   495   https://external.web.address:44399/certsrv;
>      error_page   496   https://external.web.address:44399/certsrv;
> 
>     location / {
>         proxy_pass      http://internal.web.server:80; proxy_buffering on;
>         proxy_set_header    Subject    $ssl_client_s_dn;
>         proxy_set_header    Issuer     $ssl_client_i_dn;
>         proxy_set_header    SerialNumber     $ssl_client_serial;
>         client_max_body_size 10m;
>         client_body_buffer_size 128k;
>         proxy_connect_timeout 15;
>         proxy_intercept_errors on;
>        }
> 
>     access_log  /var/log/nginx/proxy.access.log  main;
>     error_log  /var/log/nginx/proxy.error.log  debug;
> 
> }
> 
> 
> server {
>     listen      44399;
> 
>     ssl                  on;
>     ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
>     ssl_certificate_key  /etc/httpd/ssl/server.key;
>     ssl_session_timeout  5m;
>     ssl_protocols  SSLv2 SSLv3 TLSv1;
>     ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>     ssl_prefer_server_ciphers   on;
> 
>     location / {
>         proxy_pass      https://internal.web.server; proxy_buffering on;
>         client_max_body_size 10m;
>         client_body_buffer_size 128k;
>         proxy_connect_timeout 15;
>         proxy_intercept_errors on;
>        }
> 
>     access_log  /var/log/nginx/certificate.access.log  main;
>     error_log  /var/log/nginx/certificate.error.log  debug;
> 
> }
> 
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,8120,8343#msg-8343
> 

-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list