Problem with proxy_set_header $ssl_client_cert

jstrybis nginx-forum at nginx.us
Sun Feb 24 14:41:38 UTC 2013


Hello,

I am having an issue while verifying client SSL certificates. Everything
works fine until I attempt to forward the cert onto the upstream.

Once I add a line similar to the following in my location block, all
requests become an error 400 Bad Request.
> proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
(I've also tried $ssl_client_raw_cert, but the docs say "[$ssl_client_cert]
is intended for the use in the proxy_set_header directive;"

Here is my entire location block:
  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://unicorn;
  }

Originally I was using add_header X-SSL-Client-Cert in the server block,
which did not throw a 400, but my upstream app was not seeing the header.

Once I remove the proxy_set_header line, the server works as expected:
requests with a valid cert get passed through while unauthenticated requests
get a 403. (This is done by checking $ssl_client_verify).

Am I missing something obvious? Any help would be very appreciated. Thank
you.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,236546,236546#msg-236546



More information about the nginx mailing list