Proxy_Pass to another vhost on same machine

Hello,
I am attempting to use ca.mydomain.com with client certificate auth as a
springboard for other sites on the same server. I am using client certs
with
my iphone (and other browsers) to skip the password auth and be more
secure.
The first two proxy_pass statements work fine (sickbeard and
couchpotato)
but the next (munin) gives the error 400 Bad Request No required SSL
certificate was sent. If I put the address
(https://tools.mydomain.com/munin) in my address bar it works fine? I
don’t
understand why it is requesting the client cert for the subdomain that
doesn’t use client auth. The tools.mydomain.com uses basic auth.

Secondly I want to access the tools.mydomain.com from ca.mydomain.com
and
not be prompted for the basic auth password. So I want to include the
authorization in the proxying.

Any help you all can provide would be great. I hope I explained my issue
well enough!

server {
listen my.ip.address:80;
server_name ca.mydomain.com;
rewrite ^ https://$server_name$request_uri? permanent;
}

server {
listen my.ip.address:443 ssl spdy;
ssl_certificate /etc/ssl/certs/my.pem;
ssl_certificate_key /etc/ssl/private/my.key;
root /var/www/ca.thefamilygarrison;
index index.php index.html index.htm;
server_name ca.mydomain.com;
pagespeed off;

ssl_client_certificate /etc/nginx/clientauth/ca.crt;
ssl_verify_client on;

location ~ \.php$ {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
      }

location /sickbeard {
proxy_pass http://my.ip.address:65007/sickbeard;
}

location /couchpotato {
proxy_pass http://my.ip.address:65005/couchpotato;
}

location /munin {
proxy_pass https://tools.mydomain.com/munin;
}

}

Posted at Nginx Forum:

Hello!

On Mon, Jun 09, 2014 at 01:53:11PM -0400, paulg1981 wrote:

Hello,
I am attempting to use ca.mydomain.com with client certificate auth as a
springboard for other sites on the same server. I am using client certs with
my iphone (and other browsers) to skip the password auth and be more secure.
The first two proxy_pass statements work fine (sickbeard and couchpotato)
but the next (munin) gives the error 400 Bad Request No required SSL
certificate was sent. If I put the address
(https://tools.mydomain.com/munin) in my address bar it works fine? I don’t
understand why it is requesting the client cert for the subdomain that
doesn’t use client auth. The tools.mydomain.com uses basic auth.

In no particular order:

  • Make sure that “s” in the “https://tools…” isn’t a typo and
    you actually mean to use encrypted connection between nginx and
    this backend.

  • Make sure the “tools.mydomain.com” https backend actually don’t
    have client cert auth switched on. In particular, make sure
    it’s either uses separate ip:port, or you’ve enabled SNI in
    nginx proxy (Module ngx_http_proxy_module).

Secondly I want to access the tools.mydomain.com from ca.mydomain.com and
not be prompted for the basic auth password. So I want to include the
authorization in the proxying.

Instead of providing a password, you may consider configuring
access from a fixed set of ip addresses, using the access module
and “satisfy any”, see Module ngx_http_core_module for an example.

If you want nginx to send a password, you may do so by adding
the Authorization header with proxy_set_header, see
Module ngx_http_proxy_module and
RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication.


Maxim D.
http://nginx.org/