<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
margin-top:24.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Calibri","sans-serif";
color:#365F91;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:13.0pt;
font-family:"Calibri","sans-serif";
color:#4F81BD;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#4F81BD;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#4F81BD;
font-style:italic;}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#243F60;
font-weight:normal;}
h6
{mso-style-priority:9;
mso-style-link:"Heading 6 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#243F60;
font-weight:normal;
font-style:italic;}
p.MsoHeading7, li.MsoHeading7, div.MsoHeading7
{mso-style-priority:9;
mso-style-link:"Heading 7 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#404040;
font-style:italic;}
p.MsoHeading8, li.MsoHeading8, div.MsoHeading8
{mso-style-priority:9;
mso-style-link:"Heading 8 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
color:#4F81BD;}
p.MsoHeading9, li.MsoHeading9, div.MsoHeading9
{mso-style-priority:9;
mso-style-link:"Heading 9 Char";
margin-top:10.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
color:#404040;
font-style:italic;}
p.MsoCaption, li.MsoCaption, div.MsoCaption
{mso-style-priority:35;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
font-size:9.0pt;
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{mso-style-priority:10;
mso-style-link:"Title Char";
margin-top:0in;
margin-right:0in;
margin-bottom:15.0pt;
margin-left:0in;
border:none;
padding:0in;
font-size:26.0pt;
font-family:"Calibri","sans-serif";
color:#17365D;
letter-spacing:.25pt;}
p.MsoTitleCxSpFirst, li.MsoTitleCxSpFirst, div.MsoTitleCxSpFirst
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:26.0pt;
font-family:"Calibri","sans-serif";
color:#17365D;
letter-spacing:.25pt;}
p.MsoTitleCxSpMiddle, li.MsoTitleCxSpMiddle, div.MsoTitleCxSpMiddle
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:26.0pt;
font-family:"Calibri","sans-serif";
color:#17365D;
letter-spacing:.25pt;}
p.MsoTitleCxSpLast, li.MsoTitleCxSpLast, div.MsoTitleCxSpLast
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:15.0pt;
margin-left:0in;
border:none;
padding:0in;
font-size:26.0pt;
font-family:"Calibri","sans-serif";
color:#17365D;
letter-spacing:.25pt;}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
{mso-style-priority:11;
mso-style-link:"Subtitle Char";
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
font-size:12.0pt;
font-family:"Calibri","sans-serif";
color:#4F81BD;
letter-spacing:.75pt;
font-style:italic;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Cambria","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:.5in;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";}
p.MsoQuote, li.MsoQuote, div.MsoQuote
{mso-style-priority:29;
mso-style-link:"Quote Char";
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
font-size:11.0pt;
font-family:"Cambria","serif";
color:black;
font-style:italic;}
p.MsoIntenseQuote, li.MsoIntenseQuote, div.MsoIntenseQuote
{mso-style-priority:30;
mso-style-link:"Intense Quote Char";
margin-top:10.0pt;
margin-right:.65in;
margin-bottom:14.0pt;
margin-left:.65in;
line-height:115%;
border:none;
padding:0in;
font-size:11.0pt;
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;
font-style:italic;}
span.MsoSubtleEmphasis
{mso-style-priority:19;
color:gray;
font-style:italic;}
span.MsoIntenseEmphasis
{mso-style-priority:21;
color:#4F81BD;
font-weight:bold;
font-style:italic;}
span.MsoSubtleReference
{mso-style-priority:31;
font-variant:small-caps;
color:#C0504D;
text-decoration:underline;}
span.MsoIntenseReference
{mso-style-priority:32;
font-variant:small-caps;
color:#C0504D;
letter-spacing:.25pt;
font-weight:bold;
text-decoration:underline;}
span.MsoBookTitle
{mso-style-priority:33;
font-variant:small-caps;
letter-spacing:.25pt;
font-weight:bold;}
p.MsoTocHeading, li.MsoTocHeading, div.MsoTocHeading
{mso-style-priority:39;
margin-top:24.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Calibri","sans-serif";
color:#365F91;
font-weight:bold;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri","sans-serif";
color:#365F91;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri","sans-serif";
color:#4F81BD;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri","sans-serif";
color:#4F81BD;
font-weight:bold;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri","sans-serif";
color:#4F81BD;
font-weight:bold;
font-style:italic;}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Calibri","sans-serif";
color:#243F60;}
span.Heading6Char
{mso-style-name:"Heading 6 Char";
mso-style-priority:9;
mso-style-link:"Heading 6";
font-family:"Calibri","sans-serif";
color:#243F60;
font-style:italic;}
span.Heading7Char
{mso-style-name:"Heading 7 Char";
mso-style-priority:9;
mso-style-link:"Heading 7";
font-family:"Calibri","sans-serif";
color:#404040;
font-style:italic;}
span.Heading8Char
{mso-style-name:"Heading 8 Char";
mso-style-priority:9;
mso-style-link:"Heading 8";
font-family:"Calibri","sans-serif";
color:#4F81BD;}
span.Heading9Char
{mso-style-name:"Heading 9 Char";
mso-style-priority:9;
mso-style-link:"Heading 9";
font-family:"Calibri","sans-serif";
color:#404040;
font-style:italic;}
span.TitleChar
{mso-style-name:"Title Char";
mso-style-priority:10;
mso-style-link:Title;
font-family:"Calibri","sans-serif";
color:#17365D;
letter-spacing:.25pt;}
span.SubtitleChar
{mso-style-name:"Subtitle Char";
mso-style-priority:11;
mso-style-link:Subtitle;
font-family:"Calibri","sans-serif";
color:#4F81BD;
letter-spacing:.75pt;
font-style:italic;}
span.QuoteChar
{mso-style-name:"Quote Char";
mso-style-priority:29;
mso-style-link:Quote;
color:black;
font-style:italic;}
span.IntenseQuoteChar
{mso-style-name:"Intense Quote Char";
mso-style-priority:30;
mso-style-link:"Intense Quote";
color:#4F81BD;
font-weight:bold;
font-style:italic;}
span.EmailStyle45
{mso-style-type:personal-compose;
font-family:"Cambria","serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">I am a newbie to Nginx. We plan to use nginx as a reverse proxy to tomcat and node js on our systems. We plan to use MTLS to secure server to server communication (between nginx on different servers). An additional requirement is that we
have to match the client certificate CN with an existing entry in /etc/hosts. What would be the simplest mechanism to do this? HttpPerlModule? Uwsgi?<o:p></o:p></p>
<p class="MsoNormal">Below is the config we have used to prototype nginx as reverse proxy with MTLS.<o:p></o:p></p>
<p class="MsoNoSpacing"> server {<o:p></o:p></p>
<p class="MsoNoSpacing"> listen 443 ssl;<o:p></o:p></p>
<p class="MsoNoSpacing"> server_name localhost;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> error_page 500 502 503 504 /50x.html;<o:p></o:p></p>
<p class="MsoNoSpacing"> location = /50x.html {<o:p></o:p></p>
<p class="MsoNoSpacing"> root /usr/share/nginx/html;<o:p></o:p></p>
<p class="MsoNoSpacing"> }<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> #SSL Certs<o:p></o:p></p>
<p class="MsoNoSpacing"> #SSL Certs<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_certificate /etc/nginx/locations.d/b7k-vma170.crt;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_certificate_key /etc/nginx/locations.d/b7k-vma170.key;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_ciphers RC4:HIGH:!aNULL:!MD5:AES128-SHA:AES256-SHA:RC4-SHA:@STRENGTH;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_client_certificate /etc/nginx/locations.d/root-ca.crt;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_verify_client on;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_session_cache shared:SSL:10m;<o:p></o:p></p>
<p class="MsoNoSpacing"> ssl_session_timeout 10m;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> keepalive_timeout 70;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> include /etc/nginx/locations.d/*.conf;<o:p></o:p></p>
<p class="MsoNoSpacing"> include /var/nginx/locations.d/*.conf;<o:p></o:p></p>
<p class="MsoNoSpacing"> deny all;<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">ip-allow.conf contents<o:p></o:p></p>
<p class="MsoNoSpacing">allow 10.94.12.148;<o:p></o:p></p>
<p class="MsoNoSpacing">allow 10.94.12.165;<o:p></o:p></p>
<p class="MsoNoSpacing">deny all;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNormal">webapps.conf contents<o:p></o:p></p>
<p class="MsoNoSpacing">location / {<o:p></o:p></p>
<p class="MsoNoSpacing"> root /var/lib/tomcat/webapps;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_pass <a href="http://127.0.0.1:8082">http://127.0.0.1:8082</a>;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_set_header Host $http_host;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_set_header X-Forwarded-Proto https;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_redirect off;<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNoSpacing"> proxy_connect_timeout 1200;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_send_timeout 1200;<o:p></o:p></p>
<p class="MsoNoSpacing"> proxy_read_timeout 1200;<o:p></o:p></p>
<p class="MsoNoSpacing">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>