Forum: NGINX One link/area on a https site with a different SSL config?

A9ea944f3af26e37f02fd08468552edb?d=identicon&s=25 Patrick Lists (Guest)
on 2014-01-09 22:43
(Received via mailing list)
Hi,

On a Wordpress website that works with a basic StartSSL certificate I
wonder if it is possible to configure nginx (1.4.4) to use a separate
self-signed cert with client certificate authentication for wp-login.php
and any link in wp-admin/ ?

So the regular https://blog.example.org/[some/link] uses the StartSSL
cert for the https session

But the https://blog.example.org/wp-login.php and
https://blog.example.org/wp-admin/* use a self-signed certficate with
client certificate authentication for the https session

Is that possible? If yes, any keywords or what to read up on are much
appreciated.

Thanks,
Patrick
A50067f6308bd5d0a61cf2986a21cb2f?d=identicon&s=25 Styopa Semenukha (Guest)
on 2014-01-09 22:49
(Received via mailing list)
Patrick,

It's not possible, because SSL works on lower level (session layer) than
HTTP (application layer).

On Thursday, January 09, 2014 10:42:55 PM Patrick Lists wrote:
> But the https://blog.example.org/wp-login.php and
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
--
Best regards,
Styopa Semenukha.
A9ea944f3af26e37f02fd08468552edb?d=identicon&s=25 Patrick Lists (Guest)
on 2014-01-10 04:28
(Received via mailing list)
Hi Styopa,

On 09-01-14 22:48, Styopa Semenukha wrote:
> Patrick,
>
> It's not possible, because SSL works on lower level (session layer) than HTTP
(application layer).

Thank you for your feedback. That's unfortunate. I hope to see flexible
SSL config one day as an enhancement (if possible). For now I guess I'll
do IP based deny/allow instead.

Regards,
Patrick
3a83969376c805ef5b6042191fdb0ff3?d=identicon&s=25 Andreas S. (andreas)
on 2014-01-10 09:13
Patrick Lists wrote in post #1132735:
> On 09-01-14 22:48, Styopa Semenukha wrote:
>> Patrick,
>>
>> It's not possible, because SSL works on lower level (session layer) than HTTP
> (application layer).
>
> Thank you for your feedback. That's unfortunate. I hope to see flexible
> SSL config one day as an enhancement (if possible).

It is not possible, not with nginx nor any other web server. Read up on
how the SSL handshake and HTTP over SSL works, and it should become
clear.
0f7a1240e82f744c6c607fa7081b99f7?d=identicon&s=25 Igor Sysoev (Guest)
on 2014-01-10 09:17
(Received via mailing list)
On Jan 10, 2014, at 12:13 , Andreas S. wrote:

> It is not possible, not with nginx nor any other web server. Read up on
> how the SSL handshake and HTTP over SSL works, and it should become
> clear.

It is actually possible, at least Apache can do this with SSL
renegotiation.
But nginx currently does not support this.
A9ea944f3af26e37f02fd08468552edb?d=identicon&s=25 Patrick Lists (Guest)
on 2014-01-10 14:23
(Received via mailing list)
On 10-01-14 09:16, Igor Sysoev wrote:
>>> SSL config one day as an enhancement (if possible).
>>
>> It is not possible, not with nginx nor any other web server. Read up on
>> how the SSL handshake and HTTP over SSL works, and it should become
>> clear.
>
> It is actually possible, at least Apache can do this with SSL renegotiation.
> But nginx currently does not support this.

Thanks Igor. It's good to know that it's possible with Apache. I prefer
to stay with nginx so will use IP deny/allow for now.

Regards,
Patrick
2974d09ac2541e892966b762aad84943?d=identicon&s=25 tbamise (Guest)
on 2014-02-08 00:45
(Received via mailing list)
>> Patrick Lists wrote in post #1132735:
>>> On 09-01-14 22:48, Styopa Semenukha wrote:
>>>> Patrick,
>>>>
>>>> It's not possible, because SSL works on lower level (session layer)
than HTTP
>>> (application layer).
>>>
>>> Thank you for your feedback. That's unfortunate. I hope to see flexible
>>> SSL config one day as an enhancement (if possible).
>>
>> It is not possible, not with nginx nor any other web server. Read up on
>> how the SSL handshake and HTTP over SSL works, and it should become
>> clear.

>It is actually possible, at least Apache can do this with SSL
renegotiation.
>But nginx currently does not support this.

Expanding on this question, is it possible to use a different set of
certs
for the client side and another set for the upstream server side?
Right now I can defined a server module with ssl and specify the ssl
certificates and specify a https protocol for proxy_pass for a location.
But
both connections end up using the same certificates specified with
$ssl_certificate. How can I specify different certificates for the
client
side connection and upstream side connection?

Thanks in advance.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246208,247293#msg-247293
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.