Nginx can’t proxy client certificate authentication

WoMa nginx-forum at forum.nginx.org
Fri Mar 15 14:38:25 UTC 2019 

Hi, all

I have path: request https -> nginx -> haproxy -> http application
It works fine until I add client certificate authentication on haproxy.
When I add client certificate authentication on haproxy I getting error on
nginx:

2019/03/14 17:39:39 [error] 1090#0: *6254 SSL_do_handshake() failed (SSL:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:SSL alert number 40) while SSL handshaking to
upstream,

When I test it without nginx (https -> haproxy -> http application ) I can
authenticate with a client certificate
and all work fine.

(On nginx proxy to haproxy only  location /contextroot1 and  location
/contextroot2)

Any help or suggestions are appreciated.
Thanks!

My nginx version:  1.10.2
My nginx config:

upstream backend_www {
    server 172.16.1.4:443;
}
upstream backend_lbxaproxy {
    server 172.16.1.5:443;
    }

server {
    listen 443 ssl;
    server_name www.sampledomain.com;

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    ssl_certificate
/etc/pki/tls/certs/www.sampledomain.com/sampledomain.crt;
    ssl_certificate_key
/etc/pki/tls/certs/www.sampledomain.com/sampledomain.key;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/pki/tls/certs/www.eskok.pl/CA_root.crt;


    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_dhparam /etc/pki/tls/certs/dhparam.pem;

    location / {
        proxy_pass https://backend_www;
        proxy_set_header Host           $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
    }
    location /contextroot1 {
        proxy_pass https://backend_lbxaproxy/contextroot1;
        proxy_set_header Host           $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
    }
    location /contextroot2 {
        proxy_pass https://backend_lbxaproxy/contextroot2;
        proxy_set_header Host           $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
    }

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283393,283393#msg-283393

More information about the nginx mailing list