Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka) radvenka at cisco.com
Tue Nov 26 19:19:55 UTC 2013


I am a newbie to Nginx. We plan to use nginx as a reverse proxy to tomcat and node js on our systems. We plan to use MTLS to secure server to server communication (between nginx on different servers). An additional requirement is that we have to match the client certificate CN with an existing entry in /etc/hosts. What would be the simplest mechanism to do this? HttpPerlModule? Uwsgi?
Below is the config we have used to prototype nginx as reverse proxy with MTLS.

    server {

        listen       443 ssl;

        server_name  localhost;



        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   /usr/share/nginx/html;

        }



        #SSL Certs

        #SSL Certs

        ssl_certificate      /etc/nginx/locations.d/b7k-vma170.crt;

        ssl_certificate_key  /etc/nginx/locations.d/b7k-vma170.key;

        ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers         RC4:HIGH:!aNULL:!MD5:AES128-SHA:AES256-SHA:RC4-SHA:@STRENGTH;

        ssl_client_certificate  /etc/nginx/locations.d/root-ca.crt;

        ssl_verify_client   on;

        ssl_session_cache   shared:SSL:10m;

        ssl_session_timeout 10m;



        keepalive_timeout    70;



        include /etc/nginx/locations.d/*.conf;

        include /var/nginx/locations.d/*.conf;

        deny all;
    }
ip-allow.conf contents

allow 10.94.12.148;

allow 10.94.12.165;

deny all;


webapps.conf contents

location / {

    root /var/lib/tomcat/webapps;

    proxy_pass http://127.0.0.1:8082;



    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header Host $http_host;

    proxy_set_header X-Forwarded-Proto https;

    proxy_redirect off;



    proxy_connect_timeout      1200;

    proxy_send_timeout         1200;

    proxy_read_timeout         1200;

}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20131126/865070d0/attachment.html>


More information about the nginx mailing list