-1

My scenario is the following:

  • Server A is behind domain.a.com and is protected with mTLS on AWS API Gateway simulating a third party system not maintained by me

  • Server B is behind domain.b.com behind AWS public application load balancer and has nginx running on ECS for forwarding requests to server A with the following settings:

  • Server A whitelists IPs from Server B for access.

  • End user access server A through a web browser with PAC configured to proxy requests from domain.a.com through domain.b.com and client certificate signed by Server A CA imported.

Unfortunately, I can't get the proxy working when mTLS is enabled on Server A. I don't have access to the CA that signed the client certificate either.

I tried to setup the nginx.conf as follows:

http {
    server {
        listen 8080;

        location / {
           proxy_pass https://domain.a.com;
        }

        location /health/check {
            return 200 '';
        }
    }
}

Notice the application load balancer is currently communicating with the proxy through HTTP on port 8080.

At the moment, I keep getting 502 Bad Gateways from Server B. The proxy works if I switch off mtls on server A.

How can I setup the system on server B to be able to access and forward properly the client certificate to server A for authentication?

Thanks!

malaquf
  • 19
  • 2

1 Answers1

0

Alright, learned the hard way this approach is not the right one. Instead, I created an ec2 running squid for the proxy in the private subnet without any access from outside, except through session manager. Something like this.

This works like a charm for my use case.

malaquf
  • 19
  • 2