Proxy to upstream HTTPS server *with different* keys/certs in nginx

Is it possible to use a different set of certs for the client side and
another set for the upstream server side?

My use case is to have different sets of local ssl certs on Nginx. A
key/cert pair for communicating with clients and another set for
communicating with the upstream proxy.

Right now I can define a server module with ssl and specify the ssl
certificates and specify a https protocol for proxy_pass for a location.
But
both client and upstream connections end up using the same certificates
specified with $ssl_certificate. How can I specify different
certificates
for the client side connection and upstream side connection?

Posted at Nginx Forum:

tbamise Wrote:

Hello!

On Sat, Feb 08, 2014 at 07:39:12PM -0500, tbamise wrote:

specified with $ssl_certificate. How can I specify different certificates
for the client side connection and upstream side connection?

Connections to upstream servers don’t use any client certificates.


Maxim D.
http://nginx.org/

itpp2012 Wrote:

tbamise Wrote:

Is it possible to use a different set of certs for the client side
and
another set for the upstream server side?

Use a tunnel like stunnel to encrypt upstreams, which supports client
certs.

I’ve heard that stunned does not scale very well. I’m looking at
managing a
lot of simultaneous ssl connections hence using Nginx.

Posted at Nginx Forum:

Connections to upstream servers don’t use any client certificates.

Yes I agree. The connection to the upstream server uses the nginx server
certificates specified by $ssl_certificate(_key).
Basically I want to use:
for downstream to client - a.cert & a.cert.key for connection to clients
for upstream to upstream servers - b.cert & b.cert.key for connection to
upstream servers.

The https & server modules of Nginx only allow you to specify a single
cert
pair via $ssl_certificate(_key)

Posted at Nginx Forum:

I’ve heard that stunned does not scale very well. I’m looking at
managing a lot of simultaneous ssl connections hence using Nginx.

You can loadbalance them, even create a pool for one worker with Lua and
expand them as needed.

Posted at Nginx Forum:

Hello!

On Sun, Feb 09, 2014 at 07:13:55PM -0500, tbamise wrote:

Connections to upstream servers don’t use any client certificates.

Yes I agree. The connection to the upstream server uses the nginx server
certificates specified by $ssl_certificate(_key).

It looks like you didn’t understand my answer. Again: connections
to upstream servers don’t use any client certificates. That is,
no certificates are used by nginx when connecting to upstream
servers.

Basically I want to use:
for downstream to client - a.cert & a.cert.key for connection to clients
for upstream to upstream servers - b.cert & b.cert.key for connection to
upstream servers.

The https & server modules of Nginx only allow you to specify a single cert
pair via $ssl_certificate(_key)

The only thing you can specify is ssl_client_certificate (and
ssl_client_certificate_key), and it is used only in connections
with clients.

SSL support in proxy module is rather rudientary and it doesn’t
support using client certificates.


Maxim D.
http://nginx.org/

tbamise Wrote:

to upstream servers.

The https & server modules of Nginx only allow you to specify a single
cert pair via $ssl_certificate(_key)

For a lack of better words, I’m looking to terminate the client ssl
connection at Nginx and establish a new ssl connection with the upstream
server without modifying the hypertext transport protocol.

Posted at Nginx Forum:

Hi,

Yes I agree. The connection to the upstream server uses the nginx server
certificates specified by $ssl_certificate(_key).

It looks like you didn’t understand my answer. Again: connections
to upstream servers don’t use any client certificates. That is,
no certificates are used by nginx when connecting to upstream
servers.

Take a look at haproxy, it can use client certificates when connecting
to
backend servers [1].

Regards,

Lukas

[1] HAProxy version 1.5.18 - Configuration Manual

itpp2012 Wrote:

I’ve heard that stunned does not scale very well. I’m looking at
managing a lot of simultaneous ssl connections hence using Nginx.

You can loadbalance them, even create a pool for one worker with Lua
and expand them as needed.

Thanks! I’ll try this

Posted at Nginx Forum:

Hi,

I’ll rephrase the question. I’m interested in server certificates (not
client). The ssl_certificate_key file is used as a private key for the
server to decrypt ssl connections for clients. I’m looking to configure
another key for encrypting ssl connections from niginx server to upstream
server.

Thats the point exactly. You don’t need a key to encrypt ssl connections
from
nginx to upstream https servers, EXPECT if you are using client
certificates.

So either you want to specify the CA file to verify the upstream servers
certificate and you do not use client certificates (no pem file, no key)

OR

you are using client certificates, which is way you need a certificate +
key
on the nginx side to connect to upstream https.

So what exactly are you trying to achieve?

you are using client certificates, which is way you need a certificate

  • key
    on the nginx side to connect to upstream https.

I am using client certificates on nginx side to connect to upstream
https.
Issues is when I turn on client verification on upstream server, nginx
doesn’t provide the client certificates.

Any ideas why?
Thanks much appreciated!

Posted at Nginx Forum:

Hello!

The only thing you can specify is ssl_client_certificate (and
ssl_client_certificate_key), and it is used only in connections
with clients.

Following Nginx docs
(Module ngx_http_ssl_module)
you
can specify ssl_certificate_key and ssl_certificate files in an nginx
conf
file which specifies the files with the certificate in PEM format for
the
given virtual server. The ssl_client_certificate configuration refers to
CA
cert used to verify clients.

I’ll rephrase the question. I’m interested in server certificates (not
client). The ssl_certificate_key file is used as a private key for the
server to decrypt ssl connections for clients. I’m looking to configure
another key for encrypting ssl connections from niginx server to
upstream
server.

Posted at Nginx Forum:

Thanks Lukas! Guess I have to patch Nginx to use client certificates
with
upstream servers.
Any suggestion as to a good place to start? I’m looking to
nix_http_upstream.c and gnx_event_openssl.c

Posted at Nginx Forum:

I am using client certificates on nginx side to connect to upstream https.
Issues is when I turn on client verification on upstream server, nginx
doesn’t provide the client certificates.

Any ideas why?

Please read Maxim’s responses.