ProxySSL with client certificate - error redirection problem

Igor Sysoev is at rambler-co.ru
Mon Sep 21 23:05:51 MSD 2009 

On Mon, Sep 21, 2009 at 08:46:03AM -0400, adileso wrote:

> Hi all,
> 
> I have published an internal web site with HTTPS and set the ssl_verify_client on. I need some fields from the client certificate to send them to the back-end web server, so I can correctly access a specific database.
> 
> It's working but I also need to redirect the client to a second internal website in case his certificate is missing or is invalid.
> I have tried to capture the error page that I've got in the browser (when I don't send a client certificate) and put a redirect link in that error page.  The second website will generate the client certificates based on a user and password. 
> 
> I am trying to avoid to give 2 separate links to the client (one for the client certificate generation and one for database access)
> Any suggestions? I've tried also to do this with apache ssl_error_module with no luck.
> Thanks in advance.
> 
> 
> server {
>     listen      8443;
>     ssl                  on;
>     ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
>     ssl_certificate_key  /etc/httpd/ssl/server.key;
>     ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
>     ssl_session_timeout  5m;
>     ssl_protocols  SSLv2 SSLv3 TLSv1;
>     ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>     ssl_prefer_server_ciphers   on;
>     ssl_verify_client       on;
>     ssl_verify_depth 5;
> 
>     error_page 400  /400.html;
>         location  /400.html {
>         root  /usr/share/nginx/html;
>         }
> 
>     access_log  /var/log/nginx/proxy.access.log  main;
>     error_log  /var/log/nginx/proxy.error.log  debug;
> 
>     location / {
>         proxy_pass      http://10.20.0.15:80; proxy_buffering on;
>         proxy_set_header    Subject    $ssl_client_s_dn;
>         proxy_set_header    Issuer     $ssl_client_i_dn;
>         proxy_set_header    SerialNumber     $ssl_client_serial;
>         client_max_body_size 10m;
>         client_body_buffer_size 128k;
>         proxy_connect_timeout 15;
>         proxy_intercept_errors on;
>        }
> }

I do not undernstand your problem completely, however, probably you need
something like this:

       error_page  495 = /invalid;
       error_page  496 = /no_cert;

       location / {
           # usual way
           proxy_pass  ...
       }

       location = /invalid {
           # invalid cert
           proxy_pass  ...
       }

       location = /no_cert {
           # no cert
           proxy_pass  ...
       }


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list