Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure Nginx to forward client certificate to backend

I have a spring boot service configured for two way ssl to verify clients using certificates. It is behind nginx proxy server. So requirements are to configure nginx to provide transparent https connection from the client and forward client certificate to the webservice(backend) to be verified. Also to configure one way ssl for other services that don't require client authentication.

Something like:

  1. |Client| -->httpS + Client Cert--->|NGINX|--->httpS + Client Cert--->|Service 1|

  2. |Client| ------------>httpS----------->|NGINX| ------------>http------------>|Service 2|

My nginx config:

server {
    listen       443;
    server_name  xx.xx.xx.xxx;

     ssl on;
     ssl_certificate      /path/to/server/cert.crt;
     ssl_certificate_key  /path/to/server/key.key;
     ssl_client_certificate /path/to/ca.crt;
     ssl_verify_client optional;

     location /service1/ {
         proxy_pass https://service1:80/;   
         #Config to forward client certificate or to forward ssl connection(handshake) to service1
     }

     location /service2/ {
         proxy_pass http://service2:80/;
         #http connection
     }
}

Also, is there a way to get the common name from the certificate to verify the client and take decisions in nginx? as using the CA is not enough.

Thanks..

like image 258
BaSic Avatar asked Oct 30 '22 12:10

BaSic


1 Answers

This is not possible. What you are attempting to do is make the nginx proxy into a "man in the middle" and this will not be allowed by TLS by design.

like image 73
PCaligari Avatar answered Nov 09 '22 07:11

PCaligari