proxy_ssl_certificate not exchanging client certificates

Maxim Dounin mdounin at mdounin.ru
Wed Apr 29 12:05:05 UTC 2015


Hello!

On Tue, Apr 28, 2015 at 05:17:32PM -0400, lieut_data wrote:

> I was excited to see proxy_ssl_certificate and friends land in Nginx 1.7.8,
> and decided to revisit Nginx as a candidate for proxy caching an upstream
> server requiring client authentication. I've included the debugging
> configuration I've been playing around with at the end of this post.
> 
> This particular upstream server does not trigger client authentication for
> all endpoints. For example, I can issue 
> 
> -----
> http http://NGINX_PROXY_IP/test/path Host:UPSTREAM_SERVER
> -----
> 
> and get back the proxied response without error. However, for endpoints that
> require client authentication (triggered by the server after it examines the
> request path), nginx never gets a response. I've verified that the upstream
> server is working as expected using both wget:

What nginx doesn't support (or, rather, explicitly forbids) is 
renegotiation.  On the other hand, renegotiation is required if 
one needs to ask for a client certificate only for some URIs, so 
it's likely used in your case.  You should see something like "SSL 
renegotiation disabled" in logs at notice level.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list