Opened 3 years ago

Closed 3 years ago

#2249 closed defect (invalid)

nginx proxy makes grpc two-way authentication fail

Reported by: inaryart@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: grpc Cc:
uname -a: windows
nginx -V: nginx version: nginx/1.20.1
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.44 --with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.1.1k --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

Description

When the nginx grpc proxy is not used, the grpc server will verify whether the client certificate is valid

When using nginx grpc proxy,the grpc server can receive messages normally, but no longer verify the client certificate.

When the nginx client certificate verification is enabled, the wrong certificate will be intercepted, but this is intercepted by the nginx client. 

        ssl_client_certificate	..\\..\\ssl_key\\root_ca.crt;
        ssl_verify_client on;

I hope that when this option is turned off, the grpc server will still verify the grpc client certificate.

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

Authentication with SSL certificates can be only used to authenticate participants of the particular SSL connection. As long as you are proxying connections through nginx with SSL termination, there are two connections: one from the client to nginx, and another one from nginx to the upstream grpc server. Since the client and the grpc server are no longer directly connected, it is not possible for the grpc server to verify certificate of the client. That is, in such setup only nginx can verify certificate of the client, and verification of the client certificate by the grpc server is not possible.

Instead, consider the following options:

  1. Switch to a different authentication method.
  2. Verify client certificate on nginx and provide verification results and the certificate of the client to your grpc server with the grpc_set_header directive (and the $ssl_client_escaped_cert variable). You'll have to modify your grpc server to use this certificate when the connection is proxied by nginx.
  3. Authenticate nginx instead, by providing appropriate certificate with the grpc_ssl_certificate and grpc_ssl_certificate_key directives.

Hope this helps. If you have further question on configuring nginx, consider support options available.

Note: See TracTickets for help on using tickets.