Various errors while configuring nginx for certificate-based client auth

Thu Dec 5 13:01:02 UTC 2019

Hello!

On Thu, Dec 05, 2019 at 06:51:17AM -0500, lucaprete wrote:

> I'm using nginx in form of container (docker.io/nginx), version
> 1.17.3-alpine
> I'm trying to setup my nginx to do TLS auth and then forward packets to
> another host in the network.
> As part of this I also have to support some probes that continuously monitor
> a secondary location, same server, same port.
> 
> This is my configuration
> 
> ```
> server {
>   listen 443 ssl;
>   server_name            mydomain.com;
> 
>   ssl_certificate        /etc/nginx/certs/tls.crt;
>   ssl_certificate_key    /etc/nginx/certs/tls.key;
> 
>   ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
>   ssl_verify_client      optional;
>   ssl_verify_depth       2;
> 
>   location = /healthz {
>     return 200 'the app is alive!';
>   }
> 
>   location = / {
>     if ($ssl_client_verify != SUCCESS) {
>       return 403;
>     }
> 
>     proxy_pass       http://other-host:8080;
>     proxy_set_header Host $host;
>     proxy_set_header X-Real-IP $remote_addr;
>     proxy_set_header SSL_Client $ssl_client_s_dn;
>     proxy_set_header SSL_Client_Verify $ssl_client_verify;
>   }
> }
> ```
> 
> First of all, as soon as I load the configuration I get the following
> error:
> 
> ```
> 2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in
> /etc/nginx/conf.d/mydomain.conf:36
> nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
> ```
> 
> I find this if directive on any possible tutorial. I'm really not sure
> what's wrong here...
> 
> Also, even if I remove the if clause (just to see if otherwise it would
> work) I get another error:
> 
> ```
> 2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in
> "proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
> nginx: [emerg] invalid number of arguments in "proxy_set_header" directive
> in /etc/nginx/conf.d/mydomain.conf:41
> ```

It looks like the configuration you are trying to put is passed 
through shell variable expansion, resulting in a completely broken 
configuration as seen by nginx.  That is,

>     if ($ssl_client_verify != SUCCESS) {

becomes

      if ( != SUCCESS) {

which would result in the error message you see, and

>     proxy_set_header Host $host;

results in

      proxy_set_header Host ;

which obviously have invalid number of aguments.  You have to find 
where the configuration is broken and fix it.

[...]

> Sorry if I posted in the same thread three different issues... I just
> thought it would have made sense to post them together.

Sure.  Clearly this is just one issue with configuration 
deployment.

-- 
Maxim Dounin
http://mdounin.ru/