Using a client certificate in nginx subrequest with lua

Question

I want to pass a client certificate to a subrequest with ngx.location.capture.
However, with the following function, the client certificate seems to doesn't not get passed by the proxy.

local function checkAuthentication(userRole)
  return ngx.location.capture("/v1/auth/cert/login", {
    method = ngx.HTTP_POST,
    body = cjson.encode({ name = userRole }),
    share_all_vars = true,
    ctx = ngx.ctx,
  })
end

Relevant snippet from the nginx-configuration

server {
    ...
    ssl_verify_client optional_no_ca;

    location / {
      proxy_pass https://22.0.0.2:8200;
    }

    location /v1/pki/revoke {
        rewrite_by_lua_file /var/lua/revoke.lua;
        proxy_pass https://22.0.0.2:8200;
    }
}

Answer 1

Passing the client to a subrequest may not possible, as there are 2 diffferent HTTPS-connection, once from the client to nginx and then from nginx to the address specified in proxy_pass.

Depending on the use case, it may be better to let nginx handle the client authentication and use a generic client certificate for authentication against the server.

To do this, a CA-certificate must be specified, which can be used to verify the client certificate (ssl_trusted_certificate).
A optional CRL to check the client certificates against may also be specified (ssl_crl).

ssl_trusted_certificate /ca.pem;
ssl_crl /ca.crl;
ssl_verify_client optional;

If a client can be successfully validated, $ssl_client_verify equals SUCCESS.
A client certificate, which then should be used for the seconds HTTPS-Connection, can then be specified by using proxy_ssl_certificate and proxy_ssl_certificate_key.
Note that this is a generic certificate, which is from a server perspective the same for all clients which have a valid certificate, and not the individual client certificate.

location / {
  if ($ssl_client_verify != "SUCCESS") {
    return 403;
  }
  proxy_ssl_certificate /cert.pem;
  proxy_ssl_certificate_key /cert.key;
  proxy_pass https://22.0.0.2:8200;
}