Problem with proxy_set_header $ssl_client_cert

Maxim Dounin mdounin at
Sun Feb 24 18:01:18 UTC 2013


On Sun, Feb 24, 2013 at 09:41:38AM -0500, jstrybis wrote:

> Hello,
> I am having an issue while verifying client SSL certificates. Everything
> works fine until I attempt to forward the cert onto the upstream.
> Once I add a line similar to the following in my location block, all
> requests become an error 400 Bad Request.
> > proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
> (I've also tried $ssl_client_raw_cert, but the docs say "[$ssl_client_cert]
> is intended for the use in the proxy_set_header directive;"
> Here is my entire location block:
>   location @unicorn {
>     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>     proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
>     proxy_set_header X-Forwarded-Proto $scheme;
>     proxy_set_header Host $http_host;
>     proxy_redirect off;
>     proxy_pass http://unicorn;
>   }
> Originally I was using add_header X-SSL-Client-Cert in the server block,
> which did not throw a 400, but my upstream app was not seeing the header.
> Once I remove the proxy_set_header line, the server works as expected:
> requests with a valid cert get passed through while unauthenticated requests
> get a 403. (This is done by checking $ssl_client_verify).
> Am I missing something obvious? Any help would be very appreciated. Thank
> you.

The $ssl_client_cert variable abuses header continuation, and this 
doesn't work with many http servers (including nginx itself).  
There should be more portable way to pass client certificate to an 
upstream server.

Maxim Dounin

More information about the nginx mailing list