How to setup nginx as reverse proxy + tomcat ssl

Hey guys,

I am totally new to Nginx, I need some advice with my reverse proxy
setup.

This is what i am trying to set up. Client(commit a client
cert)<========>| Nginx (reverse proxy with ssl)|<========>Tomcat (with
SSL and clientAuth=true)

Follow is my nginx.conf,but it don’t work.The messge from nginx logs:
2010/04/01 15:18:53 23771#0: *51 SSL_do_handshake() failed (SSL:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate)
while SSL handshaking to upstream, client: 192.168.2.225, server:
localhost, request: “GET /prepayms/ HTTP/1.1”, upstream:
https://192.168.2.33:18444/prepayms/”, host: “192.168.2.48:48443”

nginx.conf:

upstream backssl{
server 192.168.2.33:18444;

}# HTTPS server

server {
    listen       48443  default ssl;
    server_name  localhost;


    ssl                  on;

    ssl_client_certificate   /home/newprepay/ca/ca-cert.pem;
    ssl_certificate  /home/newprepay/server/server-cert.pem;
    ssl_certificate_key  /home/newprepay/server/server.key;
    ssl_session_timeout  5m;
    ssl_verify_client on;

ssl_verify_depth 12;
ssl_session_cache builtin:1000 shared:SSL:10m;

    ssl_protocols  TLSv1 SSLv2 SSLv3;
    ssl_ciphers 

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSlv3:+EXP;
ssl_prefer_server_ciphers on;

    location / {
       root   html;
        index  index.html index.htm;
        proxy_redirect off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;

proxy_pass https://backssl;

My questions are
Can I have an SSL from Client to Nginx and another between Nginx and
Tomcat ,nginx verify the client certificate,and also transfer the
client certificate to tomcat,tomcat also verify the client
certificate.

if nginx can do this,how to setup.Can someboby give me an correct
nginx.conf for this?

Thank You,
kaiyuan

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,69690,69690#msg-69690

Hello!

On Wed, Mar 31, 2010 at 04:09:42AM -0400, kaiyuan wrote:

[…]

My questions are
Can I have an SSL from Client to Nginx and another between
Nginx and Tomcat ,nginx verify the client certificate,and
also transfer the client certificate to tomcat,tomcat also
verify the client certificate.

if nginx can do this,how to setup.Can someboby give me an
correct nginx.conf for this?

This is not possible. To “transfer” client certificate one have
to be able to access certificate’s private key. Moreover, nginx
currently doesn’t support using client certificates in proxy
connections at all.

You may want to pass results of client cert verification
($ssl_client_s_dn and so on) from nginx to tomcat in http headers
instead. See here for details:

http://wiki.nginx.org/NginxHttpSslModule#Built-in_variables
http://wiki.nginx.org/NginxHttpProxyModule#proxy_set_header

Maxim D.

hi,axim Dounin
that is a good idea.
thank you very much!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,69690,69718#msg-69718

kaiyuan at 2010-3-31 17:40 wrote:

hi,axim Dounin
that is a good idea.
thank you very much
Maybe you can use my developing nginx_tcp_proxy_module:
http://github.com/yaoweibin/nginx_tcp_proxy_module
It should be helpful.


Weibin Y.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs