ProxySSL with client certificate - error redirection problem

adileso nginx-forum at nginx.us
Tue Sep 22 13:45:27 MSD 2009 

Thank you very much Igor,

Your setup is working fine if I do reverse proxy on http.
Because I needed to redirect the error to a https page, I have modified the setup by creating another proxy ssl instance, where I didn't asked for ssl_verify_client.
My setup is working now, even if I don't use the standard SSL port. Any other suggestions for it?
Here it is, for any other interested:



# HTTPS server configuration
#

server {
    listen      443;

    ssl                  on;
    ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
    ssl_certificate_key  /etc/httpd/ssl/server.key;
    ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    ssl_verify_client       on;
    ssl_verify_depth 5;


     error_page   495   https://external.web.address:44399/certsrv;
     error_page   496   https://external.web.address:44399/certsrv;

    location / {
        proxy_pass      http://internal.web.server:80; proxy_buffering on;
        proxy_set_header    Subject    $ssl_client_s_dn;
        proxy_set_header    Issuer     $ssl_client_i_dn;
        proxy_set_header    SerialNumber     $ssl_client_serial;
        client_max_body_size 10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout 15;
        proxy_intercept_errors on;
       }

    access_log  /var/log/nginx/proxy.access.log  main;
    error_log  /var/log/nginx/proxy.error.log  debug;

}


server {
    listen      44399;

    ssl                  on;
    ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
    ssl_certificate_key  /etc/httpd/ssl/server.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass      https://internal.web.server; proxy_buffering on;
        client_max_body_size 10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout 15;
        proxy_intercept_errors on;
       }

    access_log  /var/log/nginx/certificate.access.log  main;
    error_log  /var/log/nginx/certificate.error.log  debug;

}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,8120,8343#msg-8343

More information about the nginx mailing list