Redirect SSL certificate request nginx

Question

I have two computers in my home. computer1 is receiving all http(s) requests (from the box) and contains websites with the domain domain1.com. And the computer2 has websites with the domain domain2.com.

So I have added a domain2.com.conf in the conf.d folder of nginx on the computer1:

server {
    listen 443;

    server_name *.domain2.com domain2.com;

    location / {
        proxy_pass https://192.168.1.22:$server_port/$uri$is_args$args;
        proxy_set_header Host $host:$server_port;
    }
}

The problem is that when I try to access domain2.com, the SSL certificate that is returned is the one from domain1.com.

I've searched on google the way to indicate where are the SSL certificates and I have found that:

ssl on;
ssl_certificate <path_to_certificate>;
ssl_certificate_key <path_to_certificate>;

But obviously, the problem is that certificates are on computer2 and not on computer1. How can I redirect the request for the SSL certificate to computer2? I don't find a solution, maybe I have the wrong keywords.

Thank you very much.

EDIT1: According to this thread Nginx proxy to back-end with SSL client certificate authentication. I have added this line proxy_set_header X-SSL-CERT $ssl_client_cert; to domain2.com.conf. But it is still not working.

EDIT2: According to the comment, here is the configuration file for domain1.com: domain1.com.conf

server {
    listen 80;
    listen [::]:80;
    server_name domain1.conf;

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/cvrd.fr.d/*.conf;

    location /yunohost/admin {
        return 301 https://$http_host$request_uri;
    }

    access_log /var/log/nginx/domain1.com-access.log;
    error_log /var/log/nginx/domain1.com-error.log;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name domain1.com;

    ssl_certificate /etc/yunohost/certs/domain1.com/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/domain1.com/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;

    add_header Strict-Transport-Security "max-age=31536000;";

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/domain1.com.d/*.conf;

    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;
}

First, you cannot tell one server to inform its clients to get "SSL certificates" from another server. That's not how SSL works. Second, please edit your question and include nginx configuration for domain1. — EEAA, Jun 05 '17 at 12:12
Hi, thank you for your answer. I just want to say to the client that SSL certificate is on the same computer that the website. Why do you want the domain1 configuration ? (I don't have an access right now). But to be clear, I access the websites if I add an exception for the security... — onda47, Jun 05 '17 at 13:12
You are searching for the wrong answer. What you propose is not the answer to your problem. Please provide the information requested. — EEAA, Jun 05 '17 at 13:13
Read my first comment, and provide the information I requested. — EEAA, Jun 05 '17 at 13:16
Regarding your edit, are you even using client certificates for authentication? If not, that line is useless. — EEAA, Jun 05 '17 at 13:19
Effectively this line is useless, I have added the domain1.com.conf — onda47, Jun 05 '17 at 13:55
Computer 1 terminates the SSL connection for both domains so computer 1 needs the certificates for both domains. AFAIK `nginx` cannot pass through SSL without terminating it. — Richard Smith, Jun 05 '17 at 14:18
It means that it is not possible? This is ridiculous, the website is hosted by `computer2` so the certificates should be on the same computer :/ — onda47, Jun 05 '17 at 14:23

janos97 · Answer 1 · 2017-06-13T15:05:54.443

The crux of the issue you're faced with is that you don't have access to the certificate. Nginix calls this https upstream If you cannot gain access to the certificates then you may need to use port forwarding on a firewall but then you will need a dedicated public IP for each server.

Based on my understanding of the Nginix config options, you need to copy the SSL Certificate for domain2.com over to computer1. If I'm correct you're going to need to add the proxy_ssl_certificate option to your config file so that the Nginx proxy can ensure end-to-end encryption.

This is how the 'chain of trust' is maintained through the proxy. Additional options will be needed but it should get you started.

Syntax: proxy_ssl_certificate file;
Default: — 
Context: http, server, location
This directive appeared in version 1.7.8. 

Syntax: proxy_ssl_certificate_key file;
Default: — 
Context: http, server, location
This directive appeared in version 1.7.8.

Edited to improve content of answer after feedback from OP

I'm sure the answer can be improved. You asking for a man-in-the-middle proxy feature that nginix cannot currently support. I've provided use cases that nginx does support in the hopes that you would either be able to clarify the question or confirm our initial assessments. — janos97, Jun 13 '17 at 12:32

score 0 · Accepted Answer · answered Jun 13 '17 at 19:33

Doing things at the http(s) level you will need the certificate and private key for domain two on computer one. This is because computer one is terminating the SSL connection. You can't pass through this information from the proxied computer / website.

However, you can use a TCP load balancer rather than an http load balancer without putting the certificate and private key on computer one. A TCP load balancer simply passes packets through without terminating the SSL connection. You can read the Nginx guide here.

Redirect SSL certificate request nginx

2 Answers2