Proxy_ssl_certificate not working as expected

Server NGINX
1

Hello,

I’m using nginx as a proxy to a backend server.
The backend server is also using nginx and enforcing client certificate
authentication using the ssl_client_certificate and ssl_verify_client
directives.

In my nginx server I set the following:

location  /proxy {
    proxy_pass                 https://www.backend.com;

    proxy_set_header       X-Forwarded-Host $host;
    proxy_set_header       X-Forwarded-Server $host;
    proxy_set_header       X-Forwarded-For

$proxy_add_x_forwarded_for;

    proxy_ssl_certificate         /etc/nginx/cert/client.crt;
    proxy_ssl_certificate_key  /etc/nginx/cert/client.key;
}

according to
Module ngx_http_proxy_module.

However, the backend is still responding with a 400 reponse code “No
required SSL certificate was sent”.

Note that when issuing requests to the backend server using wget with
the
client certificate, I get a valid 200 OK response.

What am I missing in my nginx configuration?

Posted at Nginx Forum:

2

Hello!

On Sun, Mar 13, 2016 at 07:24:05AM -0400, elanh wrote:

    proxy_pass                 https://www.backend.com;

Module ngx_http_proxy_module.

However, the backend is still responding with a 400 reponse code “No
required SSL certificate was sent”.

Note that when issuing requests to the backend server using wget with the
client certificate, I get a valid 200 OK response.

What am I missing in my nginx configuration?

Configuration looks fine, but likely it’s not a configuration
which is used to handle the requests. Some basic hints:

  • make sure to test with something low level like
    telnet/curl/wget, browsers often return cached results;

  • check if the configuration is actually loaded (you can use “nginx -t”
    to check for syntax errors; look into error log after a
    configuration reload to make sure reload went fine; just stop and
    then start nginx to make sure);

  • make sure the location you are configuring is one used for
    requests (a simple test would be to write something like
    “return 200 ok;” in it and check if “ok” is actually returned).

Note well that proxy_ssl_certificate is only available in nginx
1.7.8 and newer. Configuration testing as done by “nginx -t”
should complain about unknown directives if you are using an older
version.


Maxim D.
http://nginx.org/

3

Hello Maxim,

The configuration is loaded correctly and is handling requests.
“nginx -t” shows that all is OK and a 200 OK response is returned
correctly.
My front-end server is running version 1.9.10 (I ran “nginx -v”).
So proxy_ssl_certificate is valid in my case.

The backend server is running version 1.4.6 - but does this matter?

Posted at Nginx Forum:

4

Here is my full “nginx -V” output:
nginx version: nginx/1.9.10
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–http-client-body-temp-path=/var/cache/nginx/client_temp
–http-proxy-temp-path=/var/cache/nginx/proxy_temp
–http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
–http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
–http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
–group=nginx
–with-http_ssl_module --with-http_realip_module
–with-http_addition_module
–with-http_sub_module --with-http_dav_module --with-http_flv_module
–with-http_mp4_module --with-http_gunzip_module
–with-http_gzip_static_module --with-http_random_index_module
–with-http_secure_link_module --with-http_stub_status_module
–with-http_auth_request_module --with-threads --with-stream
–with-stream_ssl_module --with-http_slice_module --with-mail
–with-mail_ssl_module --with-file-aio --with-http_v2_module
–with-cc-opt=‘-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2’
–with-ld-opt=‘-Wl,-z,relro
-Wl,–as-needed’ --with-ipv6

Posted at Nginx Forum: