Re: Nginx can’t proxy client certificate authentication
Francis Daly
francis at daoine.org
Sat Mar 16 10:08:38 UTC 2019
On Fri, Mar 15, 2019 at 10:38:25AM -0400, WoMa wrote:
Hi there,
> I have path: request https -> nginx -> haproxy -> http application
> It works fine until I add client certificate authentication on haproxy.
> When I add client certificate authentication on haproxy I getting error on
> nginx:
Nothing can proxy (at an application level) client certificate authentication.
That is the point of certificates.
> When I test it without nginx (https -> haproxy -> http application ) I can
> authenticate with a client certificate
> and all work fine.
You could try a tcp-level proxy, which in nginx is spelled "stream". But...
> (On nginx proxy to haproxy only location /contextroot1 and location
> /contextroot2)
...then you lose the http-level facilities, like handling locations.
> Any help or suggestions are appreciated.
In nginx, you could include a header that includes an indication of the
client certificate and the fact that nginx has confirmed that the client
does have the certificate.
Then in haproxy, you would have to add something so that it trusts,
without verifying, that the client has the indicated certificate. (If
that header comes in a request from nginx.)
I do not know if the suggested haproxy config is possible.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list