Re: Nginx can’t proxy client certificate authentication

Francis Daly francis at daoine.org
Sun Mar 17 17:34:17 UTC 2019


On Sat, Mar 16, 2019 at 02:30:16PM -0400, WoMa wrote:

Hi there,

> I solved this problem maybe not elegantly but it works.

Good that you found a solution.

I think that what you describe is the way to do it -- nginx does the
client certificate authentication, and does not try to proxy that aspect.

> 3 ) In locations that require a certificate (/ polishapi and /
> identityserver), it is verified if the authentication was successful
> client's certificate, if not, error 403 is returned - access denied
> 
>         if ($ssl_client_verify != SUCCESS) {
>             return 403;
>         }

The only extra piece you could add, if the haproxy side wanted to know
which specific client certificate was used, would be to use some of the
variables listed around http://nginx.org/r/$ssl_client_i_dn in headers
sent to the upstream.

That's probably just an extra "nice-to-have", rather than a requirement,
of course.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list