Patch: Attached patch adds support for two way SSL authentication using client certificate and key for upstream in http proxy (ngx_http_proxy_module.c)
Use Case:
At my company, we are using two way SSL authentication for communication
among all application servers. This is security (NPI/PCI) requirement due
to being a financial firm.
Currently we are using Oracle Service Bus (OSB) as a reverse proxy, client
authentication and upstream routing which I am planning to replace using
nginx.
In my prototype, I found that nginx doesn't support two way SSL
authentication for upstream proxy for which I have provided fix.
Patch details:
The logic is as below.
if proxy_ssl_trusted_certificate is configured and
(proxy_ssl_client_certificate or proxy_ssl_client_certificate_key)
configured
it logs warning for proxy_ssl_client_certificate or
proxy_ssl_client_certificate_key will be ignored.
if proxy_ssl_trusted_certificate is configured then
it use ssl_trusted_certificate for authentication
else if proxy_ssl_client_certificate and
proxy_ssl_client_certificate_key configured,
it uses both to do two way authentication
else
logs error as either proxy_ssl_trusted_certificate or
(proxy_ssl_client_certificate and proxy_ssl_client_certificate_key)
required.
Added following two new config parameters:
proxy_ssl_client_certificate cert.pem;
proxy_ssl_client_certificate_key cert.key;
Please let me know if you have any questions
Thanks,
Rohit Joshi
--
This e-mail and any attachment is for authorized use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
ngx_http_proxy_module.c.patch
Description: Binary data
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
