ProxySSL with client certificate - error redirection problem

adileso · September 21, 2009, 2:56pm

Hi all,

I have published an internal web site with HTTPS and set the
ssl_verify_client on. I need some fields from the client certificate to
send them to the back-end web server, so I can correctly access a
specific database.

It’s working but I also need to redirect the client to a second internal
website in case his certificate is missing or is invalid.
I have tried to capture the error page that I’ve got in the browser
(when I don’t send a client certificate) and put a redirect link in that
error page. The second website will generate the client certificates
based on a user and password.

I am trying to avoid to give 2 separate links to the client (one for the
client certificate generation and one for database access)
Any suggestions? I’ve tried also to do this with apache ssl_error_module
with no luck.
Thanks in advance.

server {
listen 8443;
ssl on;
ssl_certificate /etc/httpd/ssl/proxy-ssl.cer;
ssl_certificate_key /etc/httpd/ssl/server.key;
ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 5;

error_page 400  /400.html;
    location  /400.html {
    root  /usr/share/nginx/html;
    }

access_log  /var/log/nginx/proxy.access.log  main;
error_log  /var/log/nginx/proxy.error.log  debug;

location / {
    proxy_pass      http://10.20.0.15:80; proxy_buffering on;
    proxy_set_header    Subject    $ssl_client_s_dn;
    proxy_set_header    Issuer     $ssl_client_i_dn;
    proxy_set_header    SerialNumber     $ssl_client_serial;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 15;
    proxy_intercept_errors on;
   }

}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,8120,8120#msg-8120

adileso · September 21, 2009, 9:16pm

On Mon, Sep 21, 2009 at 08:46:03AM -0400, adileso wrote:

ssl_prefer_server_ciphers   on;
}
I do not undernstand your problem completely, however, probably you need
something like this:

   error_page  495 = /invalid;
   error_page  496 = /no_cert;

   location / {
       # usual way
       proxy_pass  ...
   }

   location = /invalid {
       # invalid cert
       proxy_pass  ...
   }

   location = /no_cert {
       # no cert
       proxy_pass  ...
   }

adileso · September 22, 2009, 8:01pm

Thank you very much Igor,

Your setup is working fine if I do reverse proxy on http.
Because I needed to redirect the error to a https page, I have modified
the setup by creating another proxy ssl instance, where I didn’t asked
for ssl_verify_client.
My setup is working now, even if I don’t use the standard SSL port. Any
other suggestions for it?
Here it is, for any other interested:

HTTPS server configuration

server {
listen 443;

ssl                  on;
ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
ssl_certificate_key  /etc/httpd/ssl/server.key;
ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt;
ssl_session_timeout  5m;
ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 5;

 error_page   495   https://external.web.address:44399/certsrv;
 error_page   496   https://external.web.address:44399/certsrv;

location / {
    proxy_pass      http://internal.web.server:80; proxy_buffering

on;
proxy_set_header Subject $ssl_client_s_dn;
proxy_set_header Issuer $ssl_client_i_dn;
proxy_set_header SerialNumber $ssl_client_serial;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 15;
proxy_intercept_errors on;
}

access_log  /var/log/nginx/proxy.access.log  main;
error_log  /var/log/nginx/proxy.error.log  debug;

}

server {
listen 44399;

ssl                  on;
ssl_certificate      /etc/httpd/ssl/proxy-ssl.cer;
ssl_certificate_key  /etc/httpd/ssl/server.key;
ssl_session_timeout  5m;
ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
    proxy_pass      https://internal.web.server; proxy_buffering on;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout 15;
    proxy_intercept_errors on;
   }

access_log  /var/log/nginx/certificate.access.log  main;
error_log  /var/log/nginx/certificate.error.log  debug;

}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,8120,8343#msg-8343

adileso · September 22, 2009, 10:04pm

On Tue, Sep 22, 2009 at 05:45:27AM -0400, adileso wrote:

Thank you very much Igor,

Your setup is working fine if I do reverse proxy on http.
Because I needed to redirect the error to a https page, I have modified the setup by creating another proxy ssl instance, where I didn’t asked for ssl_verify_client.

You do not need an external redirect for this:

 error_page   495  496  /certsrv;

 location = /certsrv {
     proxy_pass      https://internal.web.server;
     ...
 }