Proxy http to https with client certificate authentication

dpheasant nginx-forum at nginx.us
Tue Aug 25 20:11:56 UTC 2015


Hello everyone,

I posted this to stack-exchange, but this is probably the better place to
get a real answer. Long story short, I think we're hitting the SSL
renegotiation problem described here:
http://forum.nginx.org/read.php?2,258464,258464#msg-258464 Basically, we're
trying to wrap a request made by an internal application over HTTP, into a
HTTPS request to an upstream server that requires a client certificate. If I
understand the post correctly, as part of that connection, the remote server
asks for a client cert, which trips up NGINX b/c of the SSL renegotiate. 

Config:

location /secure/api/ {
    proxy_pass https://secure.webservice.com/secure/api/;
    proxy_ssl_certificate     /etc/ssl/api-client.crt;
    proxy_ssl_certificate_key /etc/ssl/api-client.crt.key;
    proxy_ssl_verify off;
}

We have logging turned up to debug but do not get the 'SSL Renegotiation
disabled' message in the logs, which is why I'm posting here for
confirmation.

error.log:

2015/08/25 15:33:56 [info] 29810#0: *57 client closed connection while
waiting for request, client: x.x.x.x, server: 0.0.0.0:80
2015/08/25 15:34:05 [info] 29810#0: *53 epoll_wait() reported that client
prematurely closed connection, so upstream connection is closed too while
reading response header from upstream, client: x.x.x.x, server:
our.proxy.com, request: "GET /secure/api/ HTTP/1.1", upstream:
"https://y.y.y.y:443/secure/api/", host: "our.proxy.com"


Is there any workaround for this?

Thanks in advance.

P.S. Original SE post here:
http://serverfault.com/questions/716684/nginx-proxying-http-to-https-with-client-certificate

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261245,261245#msg-261245



More information about the nginx mailing list