Nginx Client SSL certification validation
Question
I am very new to Nginx and I need your help/suggestions in resolving below issue.
I have configured Nginx as a reverse proxy on windows server 2012 r2 and trying to route calls to my Backend server 'SERVERA' whenever request is made to Nginx.
My requirement is like, I need to pass a client certificate to Nginx server and if the certficate is valid then route the calls to backend server 'SERVERA' else it should reject call at Nginx.
I have made changes to the config file on Nginx server like below to configure client certification validation.
server {
listen 443 ssl;
server_name localhost;
ssl_certificate "C:/NewCert/server.crt";
ssl_certificate_key "C:/NewCert/server.key";
ssl_client_certificate "C:/NewCert/ca.crt";
ssl_verify_client on;
location / {
root html;
index index.html index.htm;
proxy_pass https://SERVERA/MyWebService;
}
location /MyWebService {
root html;
index index.html index.htm;
proxy_pass https://SERVERA/MyWebService;
}
}
I have generated the client and server certificates as stated in the below post and used the same for Nginx server configuration " http://nategood.com/client-side-certificate-authentication-in-ngi "
After the above config changes on the Nginx server whenever I try to browse the service I get "400 Bad request" " https://localhost/MyWebService "
When I make a call from client using client certificate to Nginx server I get below error.
"{System.Net.WebException: Error: SecureChannelFailure (A call to SSPI failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Syscall at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in :0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status) [0x0003e] in :0 at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus) at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in :0 at Mono.Net.Security.AsyncProtocolRequest+d__24.MoveNext () "
Below is my client code
namespace Test
{
class SomeTest
{
public void SomeMethod()
{
try
{
string urlString = @"https://SERVERA/MyWebService";
MyWebClient obj = new MyWebClient();
obj.UploadData(urlString, new byte[2]);
}
catch (Exception ex)
{
string st = ex.Message;
}
}
}
class MyWebClient : WebClient
{
protected override WebRequest GetWebRequest(Uri address)
{
HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
System.Security.Cryptography.X509Certificates.X509Certificate x509Certificate = new System.Security.Cryptography.X509Certificates.X509Certificate(@"/storage/emulated/0/nginx.crt");
request.ClientCertificates.Add(x509Certificate);
request.Method = "POST";
return request;
}
}
}
Any Help/suggestions are greatly appreciated.
Thanks, Vinod
1 answers
solution1
1 2021-08-19 08:54:48
try this in nginx config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server {
listen 443 ssl;
server_name localhost;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate "C:/NewCert/server.crt";
ssl_certificate_key "C:/NewCert/server.key";
ssl_client_certificate "C:/NewCert/ca.crt";
ssl_verify_client optional;
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
root html;
index index.html index.htm;
proxy_pass https://SERVERA/MyWebService;
}
location /MyWebService {
root html;
index index.html index.htm;
proxy_pass https://SERVERA/MyWebService;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.