Handling different two way ssl-request via a proxy system

Hello,

Currently we’ve got the following situation in our production
environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA PROXY —> HTTPS SERVERS

Just to be clear, the following services are used during this flow:

http client (firefox, chrome, curl, wget, etc.) —> Apache —> Squid —>
HTTPS services of other parties on the internet, supporting two-way ssl

We’ve realized this using the following configuration on the apache
service:

LoadModule ssl_module modules/mod_ssl.so

Listen *:3128

<VirtualHost *:3128>

SSLProxyEngine On
SSLProxyVerify require
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile /etc/httpd/certs/client.pem
SSLProxyCACertificateFile /etc/httpd/certs/ca.crt

RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]

ProxyPreserveHost On
ProxyPass / https://$1/
ProxyPassReverse / https://$1/

ProxyRemote https http://192.168.68.102:3128

We’re trying to replace the apache service by using nginx. I’ve
installed nginx 1.7.12 on CentOS 6.6 and have realized in a development
environment a two-way ssl:

http client —> Nginx 1.7.12 —> https two-way ssl directly —>
https.example.com

server {
listen 3128;
location / {
#this enables client verification
proxy_ssl_verify on;
proxy_ssl_verify_depth 3;

   #client certificate for upstream server
   proxy_ssl_certificate /etc/nginx/certs/client.crt;

   #client key generated from upstream cert
   proxy_ssl_certificate_key /etc/nginx/certs/client.key;

   proxy_ssl_trusted_certificate /etc/nginx/certs/ca.crt;

   proxy_pass https://https.example.com:443/; # Specifying "https" 

causes NGINX to
# encrypt the traffic
}
}

There are two thing I haven’t realized in the development environment,
because I don’t know how:

  1. Making the Nginx 1.7.12 to use a proxy system, because that’s our
    policy to communicate to the outside world.
  2. Making the configuration variable as much as possible. So the Nginx
    1.7.12 handles all different http client requests to different https
    servers and send them as a https two-way ssl. Currently it only handles
    request for https.example.com http://https.example.com/.

Any help is welcome.

Abdelouahed

On Mon, Apr 13, 2015 at 09:13:22AM +0200, Abdelouahed Haitoute wrote:

Hi there,

Currently we’ve got the following situation in our production environment:

Clients —HTTP—> Apache —HTTPS TWO-WAY SSL VIA PROXY —> HTTPS SERVERS

We’re trying to replace the apache service by using nginx.

nginx does not talk to a proxy.

nginx is not a proxy.

nginx may not be the right tool for your system.

f

Francis D. [email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs