reverse proxy with mTLS does not send client certificate to upstream
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 27 20:14:12 UTC 2022
Hello!
On Thu, Oct 27, 2022 at 01:56:25PM +0200, Andrej van der Zee wrote:
> I am trying to setup an TLS auth reverse proxy with proxy_ssl_certificate
> and proxy_ssl_certificate_key like below:
>
> http {
> server {
> listen 8080;
> resolver 8.8.8.8;
>
> location ~ /mimir/(.*)$ {
> proxy_pass https://<upstream-domain>/$1;
> proxy_ssl_certificate_key /etc/nginx/tls-auth/mimir/tls.key;
> proxy_ssl_certificate /etc/nginx/tls-auth/mimir/tls.crt;
> }
> }
> }
>
> Somehow the nginx reverse proxy does not send the configured client
> certificate, resulting in the error below from my upstream server:
>
> <html>
> <head><title>400 No required SSL certificate was sent</title></head>
> <body>
> <center><h1>400 Bad Request</h1></center>
> <center>No required SSL certificate was sent</center>
> <hr><center>nginx</center>
> </body>
> </html>
>
> What am I missing?
Any other https proxying to the same upstream but without
certificates configured?
If there are any, it might be a good idea to disable SSL session
reuse (http://nginx.org/r/proxy_ssl_session_reuse) or configure
distinct upstream blocks/names for proxying with and without certs.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list