Proxy HTTPS Client Certificate
Contents |
Proxy HTTPS Client Certificate
Synopsis
This feature enhances nginx's proxy module by supporting handshaking with a https backend server with user-specified certificates. This feature is mainly used when the backend server enables "Client Certificate Verification".
Besides, it can also archive the effect of mutual HTTPS authentication by verifying server's certificate by setting a CA certificate to SEnginx.
This feature is provided in version 1.5.13
Directives
proxy_ssl_certificate
| Syntax | proxy_ssl_certificate file; |
| Default | - |
| Context | HTTP/Server/Location |
Specifies a certificate that is used to handshake with backend https server in PEM format. This directive is similar to ssl_certificate directive of nginx.
proxy_ssl_certificate_key
| Syntax | proxy_ssl_certificate_key file; |
| Default | - |
| Context | HTTP/Server/Location |
Specifies a private key in PEM format. This directive is similar to ssl_certificate_key directive of nginx.
proxy_ssl_verify_server
| Syntax | proxy_ssl_verify_server off/on/optional/optional_no_ca; |
| Default | off |
| Context | HTTP/Server/Location |
Enables verification of server certificates. The parameters are the same as the parameters of ssl_verify_client directive in nginx.
proxy_ssl_verify_depth
| Syntax | proxy_ssl_verify_depth number; |
| Default | 1 |
| Context | HTTP/Server/Location |
Sets the verification depth in the server certificates chain. This directive is similar to ssl_verify_depth directive of nginx.
proxy_ssl_server_certificate
| Syntax | proxy_ssl_server_certificate file; |
| Default | - |
| Context | HTTP/Server/Location |
Specifies a file with trusted CA certificates in the PEM format used to verify server certificates. This directive is similar to ssl_client_certificate directive of nginx.
Examples
Prepare the following certs/keys by using openssl command:
- ca.crt
- server.crt/server.key
- client.crt/client.key
server.crt and client.crt are generated by the same CA cert, which is ca.crt. server.key and client.key are private keys which match the crt files respectively. Copy server.crt/server.key/ca.crt to backend server which provides https service. Copy client.crt/client.key/ca.crt to the server which runs SEnginx as a reverse proxy.
Example of Proxying to a Client-Verification Enabled Backend Server
Configuration of backend https server. Create a server block and enable client verification. The following in an example of SEnginx/nginx, you can use other web server software alternatively:
server {
listen 443 ssl;
ssl_certificate certs/server.crt;
ssl_certificate_key certs/server.key;
ssl_verify_client on;
ssl_client_certificate certs/ca.crt;
...
}
Configuration of SEnginx at reverse proxy server:
backend {
server some-ip:443;
}
server {
listen 80;
location / {
proxy_ssl_certificate certs/client.crt;
proxy_ssl_certificate_key certs/client.key;
proxy_pass https://backend;
}
}
Example of Mutual HTTPS Authentication
The backend server's configuration is not changed. The following is the configuration of reverse proxy server:
backend {
server some-ip:443;
}
server {
listen 80;
location / {
proxy_ssl_certificate certs/client.crt;
proxy_ssl_certificate_key certs/client.key;
proxy_ssl_verify_server on;
proxy_ssl_server_certificate certs/ca.crt;
proxy_pass https://backend;
}
}
