3

I am using nginx as a proxy to kestrel web server both nginx and kestrel are configured for mutual TLS whereby a client can only communicate with the server unless a certificate is sent with the request. I would like to be able to forward the ssl certificates received by nguni to kestrel but seem to be unable to do so. The proxy_ssl on directive errors when used in the server block and also the proxy_ssl_certificate serv.crt directive isn't what I need because this sends a specified certificate to kestrel whereas I would like to send the client certificate which was passed to nginx all the way to kestrel.

Here is a snippet of my Nginx config.

upstream prod {
      server 127.0.0.1:443;
    }

    server {
      listen 4430 ssl http2;
      ssl on;
      ssl_certificate /etc/ssl/certs/serv.crt;
      ssl_certificate_key  /etc/ssl/certs/serv.key;
      ssl_password_file    /etc/nginx/certs/ssl_passwords.txt;
      ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
      ssl_crl /etc/ssl/ca/private/ca.crl;
      ssl_verify_client optional_no_ca;
      ssl_session_timeout 5m;
      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDH$
      keepalive_timeout 10;
      server_name my-api;
      try_files $uri @prod;



      location / {
        add_header Access-Control-Allow-Origin *;
        #proxy_ssl_session_reuse on;
        proxy_ssl_trusted_certificate /etc/ssl/certs/serv.crt;
        #proxy_ssl_certificate /etc/ssl/certs/serv.crt;
        #proxy_ssl_certificate_key /etc/ssl/certs/serv.key;
        proxy_ssl_password_file    /etc/nginx/certs/ssl_passwords.txt;
        proxy_ssl_verify       off;
        proxy_ssl_verify_depth 2;


        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_redirect off;
        proxy_pass https://prod;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
      }

Any assistance would be greatly appreciated.

Thanks

Emmanuel Ashaye
  • 31
  • 1

0 Answers0