handling different two way ssl-request via a proxy system

Abdelouahed Haitoute ahaitoute at rinis.nl
Mon Apr 13 07:13:22 UTC 2015 

Hello,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache —> Squid —> HTTPS services of other parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

<VirtualHost *:3128>

  SSLProxyEngine On
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
  SSLProxyCACertificateFile      /etc/httpd/certs/ca.crt

  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]


  ProxyPreserveHost On
  ProxyPass            /  https://$1/
  ProxyPassReverse     /  https://$1/

  ProxyRemote https http://192.168.68.102:3128
</VirtualHost>

We’re trying to replace the apache service by using nginx. I’ve installed nginx 1.7.12 on CentOS 6.6 and have realized in a development environment a two-way ssl:

http client —> Nginx 1.7.12 —> https two-way ssl directly —> https.example.com

server {
   listen              3128;
   location / {
       #this enables client verification
       proxy_ssl_verify on;
       proxy_ssl_verify_depth 3;

       #client certificate for upstream server
       proxy_ssl_certificate /etc/nginx/certs/client.crt;

       #client key generated from upstream cert
       proxy_ssl_certificate_key /etc/nginx/certs/client.key;

       proxy_ssl_trusted_certificate /etc/nginx/certs/ca.crt;

       proxy_pass https://https.example.com:443/; # Specifying "https" causes NGINX to
                                    # encrypt the traffic
   }
}

There are two thing I haven’t realized in the development environment, because I don’t know how:
1. Making the Nginx 1.7.12 to use a proxy system, because that’s our policy to communicate to the outside world.
2. Making the configuration variable as much as possible. So the Nginx 1.7.12 handles all different http client requests to different https servers and send them as a https two-way ssl. Currently it only handles request for https.example.com <http://https.example.com/>.

Any help is welcome.

Abdelouahed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150413/a8ff6791/attachment.html>

More information about the nginx mailing list