Re: Nginx can’t proxy client certificate authentication

Francis Daly francis at daoine.org
Sat Mar 16 10:08:38 UTC 2019


On Fri, Mar 15, 2019 at 10:38:25AM -0400, WoMa wrote:

Hi there,

> I have path: request https -> nginx -> haproxy -> http application
> It works fine until I add client certificate authentication on haproxy.
> When I add client certificate authentication on haproxy I getting error on
> nginx:

Nothing can proxy (at an application level) client certificate authentication.

That is the point of certificates.

> When I test it without nginx (https -> haproxy -> http application ) I can
> authenticate with a client certificate
> and all work fine.

You could try a tcp-level proxy, which in nginx is spelled "stream". But...

> (On nginx proxy to haproxy only  location /contextroot1 and  location
> /contextroot2)

...then you lose the http-level facilities, like handling locations.

> Any help or suggestions are appreciated.

In nginx, you could include a header that includes an indication of the
client certificate and the fact that nginx has confirmed that the client
does have the certificate.

Then in haproxy, you would have to add something so that it trusts,
without verifying, that the client has the indicated certificate. (If
that header comes in a request from nginx.)

I do not know if the suggested haproxy config is possible.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list