Menu
I am trying to configure a subdomain to proxy requests to an other server on which I have no control. A friend run that server, and he uses his own CA to avoid paying for an ssl certificate. I tried my configuration proxying to one of my own subdomain, running a valid ssl certificate, and it worked fine, but as soon as I proxy to him and his "invalid" ssl certificate, nginx keep asking me for my credentials.
Here is my configuration :
server
{
listen [::]:443 ssl spdy;
listen 443 ssl;
server_name subdomain.mydomain.tld;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:RC4';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/startssl.pem;
add_header Strict-Transport-Security max-age=63072000;
root /path/;
location /
{
index /_h5ai/server/php/index.php;
auth_basic "mydomain";
auth_basic_user_file auth_file;
}
location /friend/
{
rewrite ^/friend/(.*) /$1 break;
proxy_set_header Authorization "Basic base64_encoded";
proxy_pass https://subdomain.friend.tld:443/blah/;
}
location ~ .php$
{
fastcgi_pass 127.0.0.1:4242;
include fastcgi.conf;
fastcgi_read_timeout 3600;
}
}
I do not have any errors in the logs. I can browse everything fine outside of /friend, it authenticate fine, but as soon as I get into /friend the authentication just keep poping like I had a wrong password. I know my base64 encoded is valid, and I tested it by replicating the same auth on one of my subdomain and it worked fine, so the only explanation left I can think of is that nginx doesn't like his certificate.
Is there some configuration I would have missed allowing me to trust his CA ? Or just to disable the verification, the data aren't sensible at all, it'd be fine even over http, but he doesn't want to bother with configuring that on his server. So disabling the verification would be a good enough solution for me.
Thanks
354
You should install your friend's CA cert (not the webserver cert, but the CA cert he created and used to sign his webserver cert) into the default OpenSSL CA store.
First you need to determine where OpenSSL keeps its files on your system. On Linux it's usually:
cd /etc/ssl/certs
Save your friend's CA cert, in PEM format, into that directory.
Then you need to determine the hash of that cert:
openssl x509 -noout -hash -in your-friends-ca.pem
and create a symlink to the cert file with the hash as the filename and with the filename extension .0:
ln -s your-friends-ca.pem 34ae50c5.0
Then restart Nginx.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
