I try to use nginx as a reverse proxy with validating client certifikate and I want to check OU in client certificate. Always return 404

Question

Here is my configuration.

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name _;

        ssl_certificate /etc/ssl/certs/nginx-self.crt;
        ssl_certificate_key /etc/ssl/private/nginx-self.key;
        ssl_client_certificate /etc/nginx/client_cert/ttca.pem;
        ssl_verify_client on;
        ssl_verify_depth 1;
        
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;

               if ( $ssl_client_s_dn ~ "MyOU" ) {
                        proxy_pass https://192.168.210.108;
                }
               return 404;
        }
}

[if in location is evil](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/) — Gerald Schneider, May 23 '23 at 10:29
No idea why this is not working. But you might want to use `$ssl_client_verify` in your conditional rather than `$ssl_client_s_dn` unless you have lots of CA certs you don't accept in ttca.pem. Adding $ssl_client_s_dn to the CGI vars (and/or some of the other $ssl_ vars) might be helpful in debugging. — symcbean, May 23 '23 at 16:51
Did you check that the 404 is coming from nginx and not the origin server? — symcbean, May 23 '23 at 16:53
404 is coming from nginx. When I coment #return 404 it works ok. I get my site https://192.168.210.108 — sqra, May 24 '23 at 07:32
"But you might want to use $ssl_client_verify in your conditiona" - no. I want to check OU olso and I want diferent redirection to diferent OU — sqra, May 24 '23 at 07:34

score 1 · Answer 1 · answered May 27 '23 at 08:10

You likely need a break; in your if block.

As it stands, the if implicit location inherits the return 404; from the outer block and since return trumps proxy_pass you still only get a 404.

if in location blocks is extremely peculiar and I'd highly recommend you avoid it unless you read the various docs and examples very carefully, including the one Gerald linked which I'm guessing you only read the title of.

I try to use nginx as a reverse proxy with validating client certifikate and I want to check OU in client certificate. Always return 404

1 Answers1