Proxy HTTPS Client Certificate

Contents

Proxy HTTPS Client Certificate

Synopsis

This feature enhances nginx's proxy module by supporting handshaking with a https backend server with user-specified certificates. This feature is mainly used when the backend server enables "Client Certificate Verification".
Besides, it can also archive the effect of mutual HTTPS authentication by verifying server's certificate by setting a CA certificate to SEnginx.

This feature is provided in version 1.5.13

Directives

proxy_ssl_certificate

Syntax proxy_ssl_certificate file;
Default -
Context HTTP/Server/Location

Specifies a certificate that is used to handshake with backend https server in PEM format. This directive is similar to ssl_certificate directive of nginx.

proxy_ssl_certificate_key

Syntax proxy_ssl_certificate_key file;
Default -
Context HTTP/Server/Location

Specifies a private key in PEM format. This directive is similar to ssl_certificate_key directive of nginx.

proxy_ssl_verify_server

Syntax proxy_ssl_verify_server off | on | optional | optional_no_ca;
Default off
Context HTTP/Server/Location

Enables verification of server certificates. The parameters are the same as the parameters of ssl_verify_client directive in nginx.

proxy_ssl_verify_depth

Syntax proxy_ssl_verify_depth number;
Default 1
Context HTTP/Server/Location

Sets the verification depth in the server certificates chain. This directive is similar to ssl_verify_depth directive of nginx.

proxy_ssl_server_certificate

Syntax proxy_ssl_server_certificate file;
Default -
Context HTTP/Server/Location

Specifies a file with trusted CA certificates in the PEM format used to verify server certificates. This directive is similar to ssl_client_certificate directive of nginx.

Examples

Prepare the following certs/keys by using openssl command:

  • ca.crt
  • server.crt/server.key
  • client.crt/client.key

server.crt and client.crt are generated by the same CA cert, which is ca.crt. server.key and client.key are private keys which match the crt files respectively. Copy server.crt/server.key/ca.crt to backend server which provides https service. Copy client.crt/client.key/ca.crt to the server which runs SEnginx as a reverse proxy.

Example of Proxying to a Client-Verification Enabled Backend Server

Configuration of backend https server. Create a server block and enable client verification. The following in an example of SEnginx/nginx, you can use other web server software alternatively:

server {
    listen 443 ssl;


    ssl_certificate        certs/server.crt;
    ssl_certificate_key    certs/server.key;
    ssl_verify_client      on;
    ssl_client_certificate certs/ca.crt;


    ...
}

Configuration of SEnginx at reverse proxy server:

backend {
    server some-ip:443;
}

server {
    listen 80;


    location / {
        proxy_ssl_certificate        certs/client.crt;
        proxy_ssl_certificate_key    certs/client.key;


        proxy_pass https://backend;
    }
}

Example of Mutual HTTPS Authentication

The backend server's configuration is not changed. The following is the configuration of reverse proxy server:

backend {
    server some-ip:443;
}

server {
    listen 80;


    location / {
        proxy_ssl_certificate        certs/client.crt;
        proxy_ssl_certificate_key    certs/client.key;
        proxy_ssl_verify_server      on;
        proxy_ssl_server_certificate certs/ca.crt;


        proxy_pass https://backend;
    }
}