Handling different two way ssl-request via a proxy system

Detlef_R · April 13, 2015, 9:14am

Hello,

Currently we’ve got the following situation in our production
environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache —> Squid —>
HTTPS services of other parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache
service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

SSLProxyEngine On
SSLProxyVerify require
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
SSLProxyCACertificateFile /etc/httpd/certs/ca.crt

RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]

ProxyPreserveHost On
ProxyPass / https://$1/
ProxyPassReverse / https://$1/

ProxyRemote https http://192.168.68.102:3128

We’re trying to replace the apache service by using nginx. I’ve
installed nginx 1.7.12 on CentOS 6.6 and have realized in a development
environment a two-way ssl:

http client —> Nginx 1.7.12 —> https two-way ssl directly —>
https.example.com

server {
listen 3128;
location / {
#this enables client verification
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;

   #client certificate for upstream server
   proxy_ssl_certificate /etc/nginx/certs/client.crt;

   #client key generated from upstream cert
   proxy_ssl_certificate_key /etc/nginx/certs/client.key;

   proxy_ssl_trusted_certificate /etc/nginx/certs/ca.crt;

   proxy_pass https://https.example.com:443/; # Specifying "https"

causes NGINX to
# encrypt the traffic
}
}

There are two thing I haven’t realized in the development environment,
because I don’t know how:

Making the Nginx 1.7.12 to use a proxy system, because that’s our
policy to communicate to the outside world.
Making the configuration variable as much as possible. So the Nginx
1.7.12 handles all different http client requests to different https
servers and send them as a https two-way ssl. Currently it only handles
request for https.example.com http://https.example.com/.

Any help is welcome.

Abdelouahed

Abdelouahed_Haitout · April 13, 2015, 9:27pm

On Mon, Apr 13, 2015 at 09:13:22AM +0200, Abdelouahed Haitoute wrote:

Hi there,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA PROXY —> HTTPS SERVERS

We’re trying to replace the apache service by using nginx.

nginx does not talk to a proxy.

nginx is not a proxy.

nginx may not be the right tool for your system.

f

Francis D. [email protected]