nginx reverse proxy with two way SSL to weblogic

2019-02-16 00:30发布

问题:

I am trying to use nginx as a reverse proxy to web logic with two way SSL/mutual SSL.

Client <= Two way SSL => NGINX <= Two Way SSL => WebLogic server

Client to NGINX two way SSL works fine but getting below errors on upstream connecting to web logic.

nginx debug log:

2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 2
2014/08/16 22:40:53 [debug] 33741#0: timer delta: 5
2014/08/16 22:40:53 [debug] 33741#0: posted events 0000000000000000
2014/08/16 22:40:53 [debug] 33741#0: worker cycle
2014/08/16 22:40:53 [debug] 33741#0: kevent timer: 59840, changes: 0
2014/08/16 22:40:53 [debug] 33741#0: kevent events: 2
2014/08/16 22:40:53 [debug] 33741#0: kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150
2014/08/16 22:40:53 [debug] 33741#0: *9 kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 1
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: 0
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 1
SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream
client: localhost, server: localhost, request: "GET /customers/~/xxxx/~/xxx/health HTTP/1.1", upstream: "https://xx.xx.xx.xxx:11211/customer-upstream/~/xxx/~/xxx/health/", host: "localhost:12121"

Here is my nginx configuration for upstream:

 proxy_cache_path /opt/openresty/nginx/cache levels=1:2 keys_zone=data-cache:8m max_size=1000m inactive=600m;

 proxy_temp_path /opt/openresty/nginx/cache/tmp;

upstream rs_backend {
        server xx.xx.xx.xxx:11211;
    }
server {
        server_name localhost;
        listen 12121 ssl;

        ssl                 on;
        ssl_verify_client on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #ssl_protocols  TLSv1;
        #ssl_ciphers  SSL_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
        #ssl_ciphers HIGH:!MD5:!aNULL:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers   on;
        proxy_ssl_session_reuse off;
        large_client_header_buffers 4 32K;

        ssl_certificate           /etc/ssl/api-cert.pem;
        ssl_certificate_key    /etc/ssl/api-cert.key;
        ssl_client_certificate  /etc/ssl/api-cert.pem;


  location /customers/
        {
           rewrite                 ^/customers/(.*)  /customer-upstream/$1/ break;
           proxy_redirect off;
           proxy_ssl_verify on;
           proxy_ssl_verify_depth 4;
           proxy_ssl_trusted_certificate         /etc/ssl/api-cert-nopass.pem;

           proxy_pass_header Server;
           proxy_http_version 1.1;
           proxy_set_header Connection Keep-Alive;
           proxy_set_header   X-Real-IP        $remote_addr;
           proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
           proxy_set_header Host localhost:11211;
           proxy_set_header Accept 'application/json;v=3';

           proxy_pass https://xx.xx.xx.xxx:11211/;
           #proxy_pass https://rs_backend;
        }

I tried various options including commenting out below configs.

 proxy_ssl_verify on;
 proxy_ssl_verify_depth 4;

If I try using openssl c_client command line, I am able to connect and get 2xx response for HTTP GET request.

openssl c_client -connect xx.xx.xx.xxx:11211  -cert api-qaid-nopass.pem

Any help would be appreciated.

回答1:

I have added support for two way/mutual authentication using certificate and key.

See the pull request:

https://github.com/nginx/nginx/pull/7

http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005817.html

It is been validated against WebLogic 11g server which is configured for two way SSL.



回答2:

proxy_ssl_trusted_certificate is used to verify the certificate of the upstream server, not to specify the client certificate which should be used when connecting to the upstream server. As far as I know there is currently now way to make ngnix use a client certificate in the upstream connection.