proxy_ssl_certificate not working as expected

Maxim Dounin mdounin at mdounin.ru
Wed Mar 16 20:12:47 UTC 2016 

Hello!

On Sun, Mar 13, 2016 at 07:24:05AM -0400, elanh wrote:

> Hello,
> 
> I'm using nginx as a proxy to a backend server. 
> The backend server is also using nginx and enforcing client certificate
> authentication using the ssl_client_certificate and ssl_verify_client
> directives.
> 
> In my nginx server I set the following:
> 
>     location  /proxy {
>         proxy_pass                 https://www.backend.com;
> 
>         proxy_set_header       X-Forwarded-Host $host;
>         proxy_set_header       X-Forwarded-Server $host;
>         proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;
> 
>         proxy_ssl_certificate         /etc/nginx/cert/client.crt;
>         proxy_ssl_certificate_key  /etc/nginx/cert/client.key;
>     }
> 
> according to
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate.
> 
> However, the backend is still responding with a 400 reponse code "No
> required SSL certificate was sent".
> 
> Note that when issuing requests to the backend server using wget with the
> client certificate, I get a valid 200 OK response.
> 
> What am I missing in my nginx configuration?

Configuration looks fine, but likely it's not a configuration 
which is used to handle the requests.  Some basic hints:

- make sure to test with something low level like 
  telnet/curl/wget, browsers often return cached results;

- check if the configuration is actually loaded (you can use "nginx -t" 
  to check for syntax errors; look into error log after a 
  configuration reload to make sure reload went fine; just stop and 
  then start nginx to make sure);

- make sure the location you are configuring is one used for 
  requests (a simple test would be to write something like 
  "return 200 ok;" in it and check if "ok" is actually returned).

Note well that proxy_ssl_certificate is only available in nginx 
1.7.8 and newer.  Configuration testing as done by "nginx -t" 
should complain about unknown directives if you are using an older 
version.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list