Need to compare client certificate CN with an entry in /etc/hosts
Radha Venkatesh (radvenka)
radvenka at cisco.com
Tue Nov 26 19:19:55 UTC 2013
I am a newbie to Nginx. We plan to use nginx as a reverse proxy to tomcat and node js on our systems. We plan to use MTLS to secure server to server communication (between nginx on different servers). An additional requirement is that we have to match the client certificate CN with an existing entry in /etc/hosts. What would be the simplest mechanism to do this? HttpPerlModule? Uwsgi?
Below is the config we have used to prototype nginx as reverse proxy with MTLS.
server {
listen 443 ssl;
server_name localhost;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
#SSL Certs
#SSL Certs
ssl_certificate /etc/nginx/locations.d/b7k-vma170.crt;
ssl_certificate_key /etc/nginx/locations.d/b7k-vma170.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:AES128-SHA:AES256-SHA:RC4-SHA:@STRENGTH;
ssl_client_certificate /etc/nginx/locations.d/root-ca.crt;
ssl_verify_client on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
include /etc/nginx/locations.d/*.conf;
include /var/nginx/locations.d/*.conf;
deny all;
}
ip-allow.conf contents
allow 10.94.12.148;
allow 10.94.12.165;
deny all;
webapps.conf contents
location / {
root /var/lib/tomcat/webapps;
proxy_pass http://127.0.0.1:8082;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20131126/865070d0/attachment.html>
More information about the nginx
mailing list