NGINX proxy to Ingress Controller with Client Certificate Authentication

0
votes

On my production env, I have a configuration with two Nginx and the communication between the two servers is secured with this config like this: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

INTERNET ---> NGINX reverse proxy ---TLS authentication---> NGINX upstream ---> Application

The conf work as expected, the upstream accept requests only by the trusted certificated.

But I need to migrate the upstream server from a bare metal server to a Kubernetes cluster on Azure Kubernetes Service. So, the conf on the server acting as a reverse proxy is unchanged and I migrate the config of the upstream to NGINX Ingress Controller.

I've deployed this image of the Ingress Controller: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

And configured the resource as follow:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-backend
  namespace: dev
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "dev/my-cert"
    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://google.com"
spec:
  tls:
    - hosts:
        - my-backend.my-domain
      secretName: my-cert
  rules:
    - host: my-backend.my-domain
      http:
        paths:
          - path: /
            backend:
              serviceName: my-backend-service
              servicePort: http

And the secret called "my-cert" includes: ca.crt tls.crt tls.key imported from the NGINX upstream. https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication

Config in the NGINX reverse proxy unchanged:

location / {
    set $upstream my-upstream;
    proxy_pass https://$upstream$request_uri;
    proxy_set_header Host my-backend.my-domain;
    proxy_set_header X-Request-ID $request_id;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_ssl_certificate /etc/nginx/ssl/client.pem;
    proxy_ssl_certificate_key /etc/nginx/ssl/client.key;
    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers HIGH:!aNULL:!MD5;
    proxy_ssl_trusted_certificate /etc/nginx/CA/CA.pem;
    proxy_ssl_session_reuse on;
}

The first attempt to try the config was a curl request from the reverse proxy to the Ingress Controller passing the client certificate:

curl --cacert /etc/nginx/CA/CA.pem --key /etc/nginx/ssl/client.key  --cert /etc/nginx/ssl/client.pem https://my-backend.my-domain/health
{"status":"UP"}

It works!

But trying to send a request through the NGINX reverse proxy I'm redirected to google.com page, as configured in the Ingress Controller. This is note the expected behaviour because.

Someone can help me to fix the config and make the auth working?

1
authenticationsslnginxkubernetesproxy
Ingress controller logs says: 2020/05/01 22:49:07 [info] 38#38: *271 client sent no required SSL certificate while reading client request headers, client: X.X.X.230, server: my-backend.my-domain, request: "GET /health HTTP/1.0", host: "my-backend.my-domain"bollicino

1 Answers

1
votes

I need to enable SNI support on the NGINX client:

proxy_ssl_server_name on;

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name