Reverse Proxy Prompt for Client Certificate?

Richard Stanway r1ch+nginx at
Tue Jul 3 15:21:00 UTC 2018

I don't think this is possible. By the time you know the client wishes to
request the /winac location, the SSL session has already been established,
at which point the server can no longer send a ClientCertificateRequest.

Using the stream module to proxy the whole connection may work, but
obviously this prevents changing functionality at the HTTP level.

On Tue, Jul 3, 2018 at 3:24 PM mevans336 <nginx-forum at>

> I am trying to set up a reverse proxy to the Windows Admin Center (WAC).
> The
> WAC requires the use of a client certificate for authentication. When I log
> into the WAC via https://localhost:6516 or I am
> prompted for the certificate and everything works fine. If I attempt to log
> in from outside my network across the WAN, I simply receive a 403 without
> being prompted for the certificate.
> Microsoft says if you don't get the certificate prompt or choose the wrong
> one, you will get the 403, so I think something with my nginx reverse proxy
> config needs to be set to pass the certificate request through?
> Here is the relevant config ... I started with nothing but a bare
> proxy_pass
> and have added the rest of the directives on as I was trying to get it
> working.
> location /winac {
>                 proxy_pass
>                 proxy_ssl_verify                            off;
>                 proxy_set_header                         X-SSL-CERT
> $ssl_client_escaped_cert;
>                 proxy_set_header                         X-SSL-CERT
> $ssl_client_cert;
>                 proxy_pass_request_headers      on;
>         }
> Posted at Nginx Forum:
> _______________________________________________
> nginx mailing list
> nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list