Nginx can’t proxy client certificate authentication
WoMa
nginx-forum at forum.nginx.org
Fri Mar 15 14:38:25 UTC 2019
Hi, all
I have path: request https -> nginx -> haproxy -> http application
It works fine until I add client certificate authentication on haproxy.
When I add client certificate authentication on haproxy I getting error on
nginx:
2019/03/14 17:39:39 [error] 1090#0: *6254 SSL_do_handshake() failed (SSL:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:SSL alert number 40) while SSL handshaking to
upstream,
When I test it without nginx (https -> haproxy -> http application ) I can
authenticate with a client certificate
and all work fine.
(On nginx proxy to haproxy only location /contextroot1 and location
/contextroot2)
Any help or suggestions are appreciated.
Thanks!
My nginx version: 1.10.2
My nginx config:
upstream backend_www {
server 172.16.1.4:443;
}
upstream backend_lbxaproxy {
server 172.16.1.5:443;
}
server {
listen 443 ssl;
server_name www.sampledomain.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_certificate
/etc/pki/tls/certs/www.sampledomain.com/sampledomain.crt;
ssl_certificate_key
/etc/pki/tls/certs/www.sampledomain.com/sampledomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/www.eskok.pl/CA_root.crt;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
location / {
proxy_pass https://backend_www;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
location /contextroot1 {
proxy_pass https://backend_lbxaproxy/contextroot1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
location /contextroot2 {
proxy_pass https://backend_lbxaproxy/contextroot2;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
}
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283393,283393#msg-283393
More information about the nginx
mailing list