{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 再贱就再见 的问题《client authentication when using nginx proxy_pass》','https://www.manongdao.com/q-919656.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My question is about nginx directive "proxy_pass".
I have an http server and I need to redirect requests using https. I'm using the following statement: proxy_pass https://secure.server In wireshark I see that there is a SSL handshake, but client (nginx proxy_pass https:) did not send certificate on server's SSL certificate request. Verifying client certificate is necessary by server. How can I force proxy_pass to send client certificate when using https ? Below is part of nginx.conf configuration file:
server {
listen 8888;
server_name _;
error_page 405 =200 $uri;
ssl_certificate /usr/local/cert.pem;
ssl_certificate_key /usr/local/cert.pem
ssl_client_certificate /usr/local/ca.cer;
location ~ /uri/(.+) {
proxy_pass https://secure.server;
break;
}
}
You need to enable SSL client certificate verification.
Add this under the other SSL configurations:
See more information here.
During ssl handshake, the server will send "client certificate ca names". (ie) The server will accept the client certificates only from those CAs. Client will send send client certificate only if it has a cert signed by those CA.
So in your case, verify 1. The CA names send by server for client cert request. This will be the CAs you have configured in the truststore of the server. (ie) During ssl handshake look for CertificateRequest message
Make sure you client cert is signed by one of those CA
Best option is to verify with curl, both your client and server certificates are configured properly curl -vvv --cert /usr/local/cert.pem https://secure.server If you are not able to figure out with the curl output, please paste the curl output
I'm looking for the same solution as well.
I found SEnginx, which has a module called "Proxy HTTPS Client Certificate". From the description it seems that is should allow for client certificates, but I could not get it to work for me. The backend server simply would not prompt the client for a certificate.
Following is the link to SEnginx.
Also: Here is a possible explanation as to why this might not be possible.