Passing Client Certificate to Backend with Nginx
2 min readJan 19, 2021
In this article I will describe how we can Mutual Authentication with Nginx
First, we create the necessary certificates for the server and client.
CA key and certificate
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crtserver key and csr(certificate sign request)
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
sign server CSR with CA certificate and key
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crtclient key and csr(certificate sign request)
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csrsign client CSR with CA certificate and key
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Then it is necessary to configure the nginx server to verify client certificates.
default.confserver {
listen 443 ssl;
server_name localhost;
# add hosts your domain for local requests# server certificate
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;# CA certificate
ssl_client_certificate /etc/nginx/certs/ca.crt;# need to validate client certificate(if this flag optional_no_ca it won't validate client certificates)
ssl_verify_client on;
location / {
# remote ip and forwarding ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# certificate verification information
# if the client certificate verified
# will have the value of 'SUCCESS' and 'NONE' otherwise
proxy_set_header VERIFIED $ssl_client_verify;
# client certificate information(DN)
proxy_set_header DN $ssl_client_s_dn;proxy_pass https://echo:443;
}
}
Dockerize your NGINX
DockerfileFROM ubuntu:14.04MAINTAINER Muhammet GÜMÜŞ (muhgumus@gmail.com)# install nginx
RUN apt-get update -y
RUN apt-get install -y python-software-properties
RUN apt-get install -y software-properties-common
RUN add-apt-repository -y ppa:nginx/stable
RUN apt-get update -y
RUN apt-get install -y nginx# deamon mode off
RUN echo “\ndaemon off;” >> /etc/nginx/nginx.conf
RUN chown -R www-data:www-data /var/lib/nginx# expose ports
EXPOSE 80 8443COPY ./certs /etc/nginx/certs/
# add nginx conf
ADD config/default.conf /etc/nginx/conf.d/default.confWORKDIR /etc/nginxCMD [“nginx”]docker-compose.yamlversion: '3.4'
services:
nginx:
image: mynginx
ports:
- "443:443"echo:
image: "mendhak/http-https-echo"docker-compose builddocker-compose up -d