Patch: Support for two way/mutual SSL authentication for upstream http proxy
Rohit Joshi
rohit.c.joshi at gmail.com
Tue Aug 19 00:24:25 UTC 2014
Patch: Attached patch adds support for two way SSL authentication using
client certificate and key for upstream in http proxy
(ngx_http_proxy_module.c)
Use Case:
At my company, we are using two way SSL authentication for communication
among all application servers. This is security (NPI/PCI) requirement due
to being a financial firm.
Currently we are using Oracle Service Bus (OSB) as a reverse proxy, client
authentication and upstream routing which I am planning to replace using
nginx.
In my prototype, I found that nginx doesn't support two way SSL
authentication for upstream proxy for which I have provided fix.
Patch details:
The logic is as below.
if proxy_ssl_trusted_certificate is configured and
(proxy_ssl_client_certificate or proxy_ssl_client_certificate_key)
configured
it logs warning for proxy_ssl_client_certificate or
proxy_ssl_client_certificate_key will be ignored.
if proxy_ssl_trusted_certificate is configured then
it use ssl_trusted_certificate for authentication
else if proxy_ssl_client_certificate and
proxy_ssl_client_certificate_key configured,
it uses both to do two way authentication
else
logs error as either proxy_ssl_trusted_certificate or
(proxy_ssl_client_certificate and proxy_ssl_client_certificate_key)
required.
Added following two new config parameters:
proxy_ssl_client_certificate cert.pem;
proxy_ssl_client_certificate_key cert.key;
Please let me know if you have any questions
Thanks,
Rohit Joshi
--
This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/1dd7edab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngx_http_proxy_module.c.patch
Type: application/octet-stream
Size: 4792 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/1dd7edab/attachment.obj>
More information about the nginx-devel
mailing list