Patch: Support for two way/mutual SSL authentication for upstream http proxy

Rohit Joshi rohit.c.joshi at gmail.com
Tue Aug 19 02:13:10 UTC 2014


Looks like attachment didn't go through.  Here is a patch:



# HG changeset patch
# User Rohit Joshi <rohit.c.joshi at gmail.com>
# Date 1408406738 14400
#      Mon Aug 18 20:05:38 2014 -0400
# Node ID 61724860610aee50d73a3a0515c17ee09e8eb349
# Parent  8cdec62a7751153117a46acdf46b50dcf8ac24de
Mail:Support for two way SSL for upstream http proxy

Added support for two way SSL using client certificate/key.

diff -r 8cdec62a7751 -r 61724860610a
src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 12:03:41 2014
+0400
+++ b/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 20:05:38 2014
-0400
@@ -84,6 +84,8 @@
     ngx_uint_t                     ssl_verify_depth;
     ngx_str_t                      ssl_trusted_certificate;
     ngx_str_t                      ssl_crl;
+    ngx_str_t                      ssl_client_certificate;
+    ngx_str_t                      ssl_client_certificate_key;
 #endif
 } ngx_http_proxy_loc_conf_t;

@@ -598,6 +600,21 @@
       offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
       NULL },

+    { ngx_string("proxy_ssl_client_certificate"),
+
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate),
+      NULL },
+
+      { ngx_string("proxy_ssl_client_certificate_key"),
+
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate_key),
+      NULL },
+
+
 #endif

       ngx_null_command
@@ -2451,6 +2468,8 @@
      *     conf->ssl_ciphers = { 0, NULL };
      *     conf->ssl_trusted_certificate = { 0, NULL };
      *     conf->ssl_crl = { 0, NULL };
+     *     conf->ssl_client_certificate = { 0, NULL };
+     *     conf->ssl_client_certificate_key = { 0, NULL };
      */

     conf->upstream.store = NGX_CONF_UNSET;
@@ -2795,6 +2814,19 @@
     if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
+    ngx_conf_merge_str_value(conf->ssl_client_certificate,
+                              prev->ssl_client_certificate, "");
+    ngx_conf_merge_str_value(conf->ssl_client_certificate_key,
+                              prev->ssl_client_certificate_key, "");
+    if( conf->ssl_trusted_certificate.len != 0  &&
+        ( conf->ssl_client_certificate.len != 0
+          || conf->ssl_client_certificate_key.len != 0) ) {
+
+        ngx_log_error(NGX_LOG_WARN, cf->log, 0,
+                      "proxy_ssl_trusted_certificate is configured "
+                      "so proxy_ssl_client_certificate and "
+                      "proxy_ssl_client_certificate_key will be ignored");
+    }

 #endif

@@ -3861,22 +3893,42 @@
     }

     if (plcf->upstream.ssl_verify) {
-        if (plcf->ssl_trusted_certificate.len == 0) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                      "no proxy_ssl_trusted_certificate for
proxy_ssl_verify");
-            return NGX_ERROR;
-        }
-
-        if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
+
+        if (plcf->ssl_trusted_certificate.len != 0) {
+
+            if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
                                         &plcf->ssl_trusted_certificate,
                                         plcf->ssl_verify_depth)
-            != NGX_OK)
-        {
+                != NGX_OK)
+            {
+                return NGX_ERROR;
+            }
+
+            if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) !=
NGX_OK) {
+                return NGX_ERROR;
+            }
+
+        }else if (plcf->ssl_client_certificate_key.len != 0 &&
+                  plcf->ssl_client_certificate.len != 0) {
+
+            if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
+                                    &plcf->ssl_client_certificate,
+                                    &plcf->ssl_client_certificate_key,
+                                    0)
+               != NGX_OK)
+          {
+               ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+                   "ngx_ssl_certificate failed.");
+              return NGX_ERROR;
+           }
+        }else {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no proxy_ssl_trusted_certificate or "
+                          "(proxy_ssl_client_certificate and "
+                          "proxy_ssl_client_certificate_key for "
+                          "mutual authentication) for proxy_ssl_verify");
             return NGX_ERROR;
-        }
-
-        if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK)
{
-            return NGX_ERROR;
+
         }
     }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140818/68bdf45f/attachment-0001.html>


More information about the nginx-devel mailing list