proxy_ssl_certificate not exchanging client certificates

Maxim Dounin mdounin at
Wed Apr 29 12:05:05 UTC 2015


On Tue, Apr 28, 2015 at 05:17:32PM -0400, lieut_data wrote:

> I was excited to see proxy_ssl_certificate and friends land in Nginx 1.7.8,
> and decided to revisit Nginx as a candidate for proxy caching an upstream
> server requiring client authentication. I've included the debugging
> configuration I've been playing around with at the end of this post.
> This particular upstream server does not trigger client authentication for
> all endpoints. For example, I can issue 
> -----
> http http://NGINX_PROXY_IP/test/path Host:UPSTREAM_SERVER
> -----
> and get back the proxied response without error. However, for endpoints that
> require client authentication (triggered by the server after it examines the
> request path), nginx never gets a response. I've verified that the upstream
> server is working as expected using both wget:

What nginx doesn't support (or, rather, explicitly forbids) is 
renegotiation.  On the other hand, renegotiation is required if 
one needs to ask for a client certificate only for some URIs, so 
it's likely used in your case.  You should see something like "SSL 
renegotiation disabled" in logs at notice level.

Maxim Dounin

More information about the nginx mailing list