How is the proxy address http_x_ssl_client_s_dn?

Question

How is the proxy address http_x_ssl_client_s_dn?

I want to proxy the request header 'HTTP_X_SSL_CLIENT_S_DN' through nginx.

Here is our server network structure.

[front server:443] <---> [nginx proxy:8004] <---> [application server:8008]
(client cert auth)

When I tried two servers ([front server] and [server application]), it worked correctly. The HTTP_X_SSL_CLIENT_S_DN header was passed to the application server.

Then, adding the [nginx proxy] server, the header 'HTTP_X_SSL_CLIENT_S_DN' was not passed to the application server.

Below is my nginx configuration.

server {
    listen   8004;
    index index.html;

    location / {
        proxy_pass_header Server;
        proxy_pass_header X-Scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://app-server/;

# TODO: to proxy 'HTTP_X_SSL_CLIENT_S_DN'
# failed settings
#        proxy_pass_request_headers on; # not worked (default: on)
#        proxy_pass_header X-SSL-Client-S-DN; # none
#        proxy_pass_header X_SSL_CLIENT_S_DN; # none
#        proxy_pass_header HTTP_X_SSL_CLIENT_S_DN; # none
#        proxy_pass_header HTTP-X-SSL-CLIENT-S-DN; # none
#        proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; # none
#        proxy_set_header X_SSL_Client_S_DN $x_ssl_client_s_dn; # none
#        proxy_set_header X-SSL-Client-S-DN $http_ssl_client_s_dn; # none
#        proxy_set_header X-SSL-Client-S-DN $http_x_ssl_client_s_dn; # none
    }
}

upstream app-server {
    server 127.0.0.1:8008;
}

Any help.

+5

proxy nginx

superdaigo Aug 7 '12 at 7:05

source share

2 answers

Jon M. · Answer 1 · 2013-03-06T23:41:58+0000

First of all, make sure that nginx.conf is configured to check client certificates! I had the same problem that you described.

server {
  # ...
  ssl_client_certificate /srv/ssl/self.crt;
  ssl_verify_depth     1;
  ssl_verify_client    on;
  # ...
  location @app { # I'm using nginx+unicorn, don't blindly copy this!  :)
    # ...
    proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
    proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
    proxy_set_header X-SSL-Client-S-DN   $ssl_client_s_dn;
    # ...
}

, , root. "me", root "self" .

.
```
openssl genrsa -out me.key 1024
```

-CA .

openssl req -new -key me.key -out me.csr

CA .

openssl x509 -req -days 365 -in me.csr -CA self.crt -CAkey self.key -set_serial 01 -out me.crt

.

curl -v -s -k --key me.key --cert me.crt https://fort-awesome-o

: , .

openssl pkcs12 -export -in me.crt -inkey me.key -certfile self.crt -out me.p12

- Sinatra, HTTP, :

"HTTP_X_SSL_CLIENT_SERIAL" = > "01", "HTTP_X_SSL_CLIENT_VERIFY" = > "", "HTTP_X_SSL_CLIENT_S_DN" = > "/C = US/ST = Maryland/L = Annapolis/O = Fort Kickass/CN = /emailAddress =jon@jonmorton.com"

michaell · Answer 2 · 2012-10-19T13:42:27+0000

nginx, X_REQUESTED_WITH . nginx .

nginx, underscores_in_headers on;, ignore_invalid_headers off;.

python , django nginx -, , X_REQUESTED_WITH X-REQUESTED-WITH. (Django 'HTTP_' x, request.META.)

import requests
headers = {'X-REQUESTED-WITH':'XMLHttpRequest'}
r = requests.post(url, data=payload, headers=headers)

How is the proxy address http_x_ssl_client_s_dn?

More articles: