Reverse Proxy Prompt for Client Certificate?
Richard Stanway
r1ch+nginx at teamliquid.net
Tue Jul 3 15:21:00 UTC 2018
I don't think this is possible. By the time you know the client wishes to
request the /winac location, the SSL session has already been established,
at which point the server can no longer send a ClientCertificateRequest.
Using the stream module to proxy the whole connection may work, but
obviously this prevents changing functionality at the HTTP level.
http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
On Tue, Jul 3, 2018 at 3:24 PM mevans336 <nginx-forum at forum.nginx.org>
wrote:
> I am trying to set up a reverse proxy to the Windows Admin Center (WAC).
> The
> WAC requires the use of a client certificate for authentication. When I log
> into the WAC via https://localhost:6516 or https://192.168.0.100:6516 I am
> prompted for the certificate and everything works fine. If I attempt to log
> in from outside my network across the WAN, I simply receive a 403 without
> being prompted for the certificate.
>
> Microsoft says if you don't get the certificate prompt or choose the wrong
> one, you will get the 403, so I think something with my nginx reverse proxy
> config needs to be set to pass the certificate request through?
>
> Here is the relevant config ... I started with nothing but a bare
> proxy_pass
> and have added the rest of the directives on as I was trying to get it
> working.
>
> location /winac {
> proxy_pass
> https://192.168.0.100:6516;
> proxy_ssl_verify off;
> proxy_set_header X-SSL-CERT
> $ssl_client_escaped_cert;
> proxy_set_header X-SSL-CERT
> $ssl_client_cert;
> proxy_pass_request_headers on;
> }
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,280385,280385#msg-280385
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180703/5fcc7316/attachment.html>
More information about the nginx
mailing list