Passing Client Certificate to Backend with Nginx

certificate Mar 10, 2020

In the previous article, we examined how to make mTLS Auth with Nginx. In this article

https://blog.apigo.com/mtls-client-certification-auth


We will examine how to pass the Client certificate to the Backend service.

You can validate Certificate from Backend Service. Is is necessary to set
ssl_verify_client optional_no_ca; and pass to Raw Certificate Backend service

so complete nginx config like below

map $ssl_client_raw_cert $a {
   "~^(-.*-\n)(?<st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $st;
}

server {
    listen 443 ssl;
    server_name localhost;

    # server certificate
    ssl_certificate     /etc/nginx/certs/server.crt;
    ssl_certificate_key /etc/nginx/certs/server.key;

    # CA certificate
    ssl_client_certificate /etc/nginx/certs/ca.crt;

    # need to validate client certificate(if this flag optional it won't
    # validate client certificates)
    ssl_verify_client optional_no_ca;
    location / {
        # remote ip and forwarding ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # certificate verification information
        # if the client certificate verified against CA, the header VERIFIED
        # will have the value of 'SUCCESS' and 'NONE' otherwise
        proxy_set_header VERIFIED $ssl_client_verify;
        
        # Certificate Raw add to Header
        proxy_set_header X-Client-Cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;

        # client certificate information(DN)
        proxy_set_header DN $ssl_client_s_dn;

        proxy_pass https://echo:443;
    }
}

default.conf

and passed Certificate to backend Service like this

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.