proxy_ssl_certificate not exchanging client certificates
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 29 12:05:05 UTC 2015
Hello!
On Tue, Apr 28, 2015 at 05:17:32PM -0400, lieut_data wrote:
> I was excited to see proxy_ssl_certificate and friends land in Nginx 1.7.8,
> and decided to revisit Nginx as a candidate for proxy caching an upstream
> server requiring client authentication. I've included the debugging
> configuration I've been playing around with at the end of this post.
>
> This particular upstream server does not trigger client authentication for
> all endpoints. For example, I can issue
>
> -----
> http http://NGINX_PROXY_IP/test/path Host:UPSTREAM_SERVER
> -----
>
> and get back the proxied response without error. However, for endpoints that
> require client authentication (triggered by the server after it examines the
> request path), nginx never gets a response. I've verified that the upstream
> server is working as expected using both wget:
What nginx doesn't support (or, rather, explicitly forbids) is
renegotiation. On the other hand, renegotiation is required if
one needs to ask for a client certificate only for some URIs, so
it's likely used in your case. You should see something like "SSL
renegotiation disabled" in logs at notice level.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list