nginx - reverse proxy certificate authentication

4
votes

I´m trying to use nginx as a reverse proxy to an internal webserver running Tomcat, which hosts a front-end to our ERP system.

It is already working fine: I can perfectly connect to the nginx server (which is locked up on our network, different VLAN, firewall, etc etc etc) and then reverse proxy to my ERP server.

However, I want do add an extra layer of protection, by requiring users to have a digital certificate on their computer, so they can access the first (nginx) server. The certificate is not used/necessary to the back-end server.

I´ve been through this tutorial http://nategood.com/client-side-certificate-authentication-in-ngi which allowed me to generate my self-signed certificates and everything else.

When using ssl_verify_client optional on nginx configuration, I can connect normally to my back-end server, but no certificate is asked/required.

When I switch it to ssl_verify_client on , all access are then blocked by a 

400 Bad Request

No required SSL certificate was sent

No matter which browser I am using (Chrome, IE, Edge, Firefox). Of course I´ve put all certificates/chain on my client computer, but no certificate is asked on any browsers. What I am missing?

Here is my full nginx config:

server {
        listen 443;
        ssl on;
        server_name 103vportal;

        ssl_password_file /etc/nginx/certs/senha.txt;
        ssl_certificate      /etc/nginx/certs/server.crt;
        ssl_certificate_key  /etc/nginx/certs/server.key;
        ssl_client_certificate /etc/nginx/certs/ca.crt;
        ssl_verify_client on;


        location / {
                proxy_pass http://10.3.0.244:16030;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_read_timeout 300;
                proxy_send_timeout 300;
        }

}
1
sslnginxproxy
Your client certificate is signed by the ca.crt and is listed under your Personal Certificates in the browser? And you have cleared the browser cache since reconfiguring the server? - Richard Smith
@RichardSmith hi there, thanks for the help. Yes, it is signed by ca.crt as per the tutorial. However, it is really strange as even forcing (Internet Explorer certs) it does not list under Personal Certificates, but under Intermediate Authorities. I also noticed this, but I followed the tutorial to the letter, since this is my first time implementing this. Maybe the cert is not "client/personal" ? Any way to generate it through the openssl ? - Luiz Carlos
I create a PKCS#12 file with a password to get the private key and the signed certificate into the browser's list of personal certificates. The intermediate certificate store will not work for you. - Richard Smith
do you know the command to generate it? - Luiz Carlos

1 Answers

1
votes

Assuming you have generated a private key and a certificate request for your user and signed it with your client CA. You need to get the private key and the signed certificate into the list of personal certificates in the browser.

I have found that the best way is to create a password protected PKCS#12 (as some browsers insist on password protection). I use the following OpenSSL command:

cat user.key user.crt | openssl pkcs12 -export -out user.p12