ProxySSL with client certificate - error redirection problem
Igor Sysoev
is at rambler-co.ru
Tue Sep 22 14:20:44 MSD 2009
On Tue, Sep 22, 2009 at 05:45:27AM -0400, adileso wrote:
> Thank you very much Igor,
>
> Your setup is working fine if I do reverse proxy on http.
> Because I needed to redirect the error to a https page, I have modified the setup by creating another proxy ssl instance, where I didn't asked for ssl_verify_client.
You do not need an external redirect for this:
error_page 495 496 /certsrv;
location = /certsrv {
proxy_pass https://internal.web.server;
...
}
> My setup is working now, even if I don't use the standard SSL port. Any other suggestions for it?
> Here it is, for any other interested:
>
>
>
> # HTTPS server configuration
> #
>
> server {
> listen 443;
>
> ssl on;
> ssl_certificate /etc/httpd/ssl/proxy-ssl.cer;
> ssl_certificate_key /etc/httpd/ssl/server.key;
> ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
> ssl_session_timeout 5m;
> ssl_protocols SSLv2 SSLv3 TLSv1;
> ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
> ssl_prefer_server_ciphers on;
> ssl_verify_client on;
> ssl_verify_depth 5;
>
>
> error_page 495 https://external.web.address:44399/certsrv;
> error_page 496 https://external.web.address:44399/certsrv;
>
> location / {
> proxy_pass http://internal.web.server:80; proxy_buffering on;
> proxy_set_header Subject $ssl_client_s_dn;
> proxy_set_header Issuer $ssl_client_i_dn;
> proxy_set_header SerialNumber $ssl_client_serial;
> client_max_body_size 10m;
> client_body_buffer_size 128k;
> proxy_connect_timeout 15;
> proxy_intercept_errors on;
> }
>
> access_log /var/log/nginx/proxy.access.log main;
> error_log /var/log/nginx/proxy.error.log debug;
>
> }
>
>
> server {
> listen 44399;
>
> ssl on;
> ssl_certificate /etc/httpd/ssl/proxy-ssl.cer;
> ssl_certificate_key /etc/httpd/ssl/server.key;
> ssl_session_timeout 5m;
> ssl_protocols SSLv2 SSLv3 TLSv1;
> ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
> ssl_prefer_server_ciphers on;
>
> location / {
> proxy_pass https://internal.web.server; proxy_buffering on;
> client_max_body_size 10m;
> client_body_buffer_size 128k;
> proxy_connect_timeout 15;
> proxy_intercept_errors on;
> }
>
> access_log /var/log/nginx/certificate.access.log main;
> error_log /var/log/nginx/certificate.error.log debug;
>
> }
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,8120,8343#msg-8343
>
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list