nginx - reverse proxy certificate authentication
This answer worked for me:
https://stackoverflow.com/questions/41933654/nginx-reverse-proxy-certificate-authentication
The trick was to create a personal certificate (via the provided command) and use the hostname/DNS combo under the certificate.
Related videos on Youtube
Luiz Carlos
Updated on September 18, 2022Comments
-
Luiz Carlos over 1 year
I´m trying to use nginx as a reverse proxy to an internal webserver running Tomcat, which hosts a front-end to our ERP system.
It is already working fine: I can perfectly connect to the nginx server (which is locked up on our network, different VLAN, firewall, etc etc etc) and then reverse proxy to my ERP server.
However, I want do add an extra layer of protection, by requiring users to have a digital certificate on their computer, so they can access the first (nginx) server. The certificate is not used/necessary to the back-end server.
I´ve been through this tutorial http://nategood.com/client-side-certificate-authentication-in-ngi which allowed me to generate my self-signed certificates and everything else.
When using ssl_verify_client optional on nginx configuration, I can connect normally to my back-end server, but no certificate is asked/required.
When I switch it to ssl_verify_client on , all access are then blocked by a
400 Bad Request No required SSL certificate was sent
No matter which browser I am using (Chrome, IE, Edge, Firefox). Of course I´ve put all certificates/chain on my client computer, but no certificate is asked on any browsers. What I am missing?
Here is my full nginx config:
server { listen 443; ssl on; server_name 103vportal; ssl_password_file /etc/nginx/certs/senha.txt; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_client_certificate /etc/nginx/certs/ca.crt; ssl_verify_client on; location / { proxy_pass http://10.3.0.244:16030; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; proxy_send_timeout 300; } }