How to establish secure connection between NGINX <-> https upstream API
Francis Daly
francis at daoine.org
Fri Mar 13 13:30:54 UTC 2020
On Thu, Mar 12, 2020 at 10:47:40PM -0700, satscreate wrote:
Hi there,
> https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#
> location /upstream {
> proxy_pass https://$upstream$request_uri;
> proxy_ssl_certificate /etc/nginx/client.pem;
> proxy_ssl_certificate_key /etc/nginx/client.key;
> proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
> What is below client.pem & client.key?
>
> is this the nginx client files which needs to be created and signed with CA?
The page you link to says
"""
Add the client certificate and the key that will be used to
authenticate NGINX on each upstream server with proxy_ssl_certificate
and proxy_ssl_certificate_key directives:
"""
and the documentation for those directives is at
http://nginx.org/r/proxy_ssl_certificate
Those files relate to the client certificate that nginx will offer to
the upstream server in order to identify itself.
> What is trusted_ca_cert.crt;?
http://nginx.org/r/proxy_ssl_trusted_certificate
That file allows nginx to verify that the certificate presented by the
upstream server, is one that nginx is willing to consider acceptable.
> Is this related to backend.example.com? how can i obtain this?
Yes; the Certificate Authority that signed the backend.example.com
certificate should make this available to anyone they want to trust them.
> But getting below exception when i hit the API.
>
> upstream SSL certificate verify error: (19:self signed certificate in
> certificate chain) while SSL handshaking to upstream, client: <user_ip>,
> server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream:
> "https://backend.example.com:443/getsomething", host: "nginx_server_ip"
I believe that that says that nginx (as the client) does not accept the
certificate provided by the server at backend.example.com; probably due
to nginx's proxy_ssl_trusted_certificate configuration not being what
it expects.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list