Patch: Support for two way/mutual SSL authentication for upstream http proxy
Rohit Joshi
rohit.c.joshi at gmail.com
Tue Aug 19 02:13:10 UTC 2014
Looks like attachment didn't go through. Here is a patch:
# HG changeset patch
# User Rohit Joshi <rohit.c.joshi at gmail.com>
# Date 1408406738 14400
# Mon Aug 18 20:05:38 2014 -0400
# Node ID 61724860610aee50d73a3a0515c17ee09e8eb349
# Parent 8cdec62a7751153117a46acdf46b50dcf8ac24de
Mail:Support for two way SSL for upstream http proxy
Added support for two way SSL using client certificate/key.
diff -r 8cdec62a7751 -r 61724860610a
src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 12:03:41 2014
+0400
+++ b/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 20:05:38 2014
-0400
@@ -84,6 +84,8 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_str_t ssl_client_certificate;
+ ngx_str_t ssl_client_certificate_key;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -598,6 +600,21 @@
offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
NULL },
+ { ngx_string("proxy_ssl_client_certificate"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate),
+ NULL },
+
+ { ngx_string("proxy_ssl_client_certificate_key"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate_key),
+ NULL },
+
+
#endif
ngx_null_command
@@ -2451,6 +2468,8 @@
* conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
+ * conf->ssl_client_certificate = { 0, NULL };
+ * conf->ssl_client_certificate_key = { 0, NULL };
*/
conf->upstream.store = NGX_CONF_UNSET;
@@ -2795,6 +2814,19 @@
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
+ ngx_conf_merge_str_value(conf->ssl_client_certificate,
+ prev->ssl_client_certificate, "");
+ ngx_conf_merge_str_value(conf->ssl_client_certificate_key,
+ prev->ssl_client_certificate_key, "");
+ if( conf->ssl_trusted_certificate.len != 0 &&
+ ( conf->ssl_client_certificate.len != 0
+ || conf->ssl_client_certificate_key.len != 0) ) {
+
+ ngx_log_error(NGX_LOG_WARN, cf->log, 0,
+ "proxy_ssl_trusted_certificate is configured "
+ "so proxy_ssl_client_certificate and "
+ "proxy_ssl_client_certificate_key will be ignored");
+ }
#endif
@@ -3861,22 +3893,42 @@
}
if (plcf->upstream.ssl_verify) {
- if (plcf->ssl_trusted_certificate.len == 0) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no proxy_ssl_trusted_certificate for
proxy_ssl_verify");
- return NGX_ERROR;
- }
-
- if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
+
+ if (plcf->ssl_trusted_certificate.len != 0) {
+
+ if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
- != NGX_OK)
- {
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) !=
NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ }else if (plcf->ssl_client_certificate_key.len != 0 &&
+ plcf->ssl_client_certificate.len != 0) {
+
+ if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
+ &plcf->ssl_client_certificate,
+ &plcf->ssl_client_certificate_key,
+ 0)
+ != NGX_OK)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+ "ngx_ssl_certificate failed.");
+ return NGX_ERROR;
+ }
+ }else {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no proxy_ssl_trusted_certificate or "
+ "(proxy_ssl_client_certificate and "
+ "proxy_ssl_client_certificate_key for "
+ "mutual authentication) for proxy_ssl_verify");
return NGX_ERROR;
- }
-
- if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK)
{
- return NGX_ERROR;
+
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/68bdf45f/attachment-0001.html>
More information about the nginx-devel
mailing list