Various errors while configuring nginx for certificate-based client auth

Thu Dec 5 11:51:17 UTC 2019

Hi guys,

I'm using nginx in form of container (docker.io/nginx), version
1.17.3-alpine
I'm trying to setup my nginx to do TLS auth and then forward packets to
another host in the network.
As part of this I also have to support some probes that continuously monitor
a secondary location, same server, same port.

This is my configuration

```
server {
  listen 443 ssl;
  server_name            mydomain.com;

  ssl_certificate        /etc/nginx/certs/tls.crt;
  ssl_certificate_key    /etc/nginx/certs/tls.key;

  ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
  ssl_verify_client      optional;
  ssl_verify_depth       2;

  location = /healthz {
    return 200 'the app is alive!';
  }

  location = / {
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }

    proxy_pass       http://other-host:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header SSL_Client $ssl_client_s_dn;
    proxy_set_header SSL_Client_Verify $ssl_client_verify;
  }
}
```

First of all, as soon as I load the configuration I get the following
error:

```
2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in
/etc/nginx/conf.d/mydomain.conf:36
nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
```

I find this if directive on any possible tutorial. I'm really not sure
what's wrong here...

Also, even if I remove the if clause (just to see if otherwise it would
work) I get another error:

```
2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in
"proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
nginx: [emerg] invalid number of arguments in "proxy_set_header" directive
in /etc/nginx/conf.d/mydomain.conf:41
```

Even after removing all the entire `location = /` block (to see if at least
the container starts and /healtz return 200), I still get the following
error:

```
2019/12/05 11:43:30 [error] 8#8: *90 open() "/etc/nginx/html/healtz" failed
(2: No such file or directory), client: 172.16.0.158, server: , request:
"GET /healtz HTTP/1.1", host: "mydomain.com"
172.16.0.158 - - [05/Dec/2019:11:43:30 +0000] "GET /healtz HTTP/1.1" 404 153
"-" "Wget" "-"
172.16.56.6 - - [05/Dec/2019:11:43:40 +0000] "GET / HTTP/1.1" 404 153 "-"
"-" "-"
```

Shouldn't the return directive (as written) simply return a 200 and the
message, even if a page is not present?

Sorry if I posted in the same thread three different issues... I just
thought it would have made sense to post them together.

Thank you,

-Luca

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286413,286413#msg-286413