Context Navigation

← Previous Change
Ticket History
Next Change →

Changes between Initial Version and Version 1 of Ticket #2476

Timestamp:: 03/29/23 07:31:49 (20 months ago)
Author:: Preetham777@…
Comment:

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #2476 – Description

-              initial
+              v1
 Hi Team,
 I'm trying a setup where the client cert auth is enabled to optional_on_ca, and when the curl is initiated with client cert which is the chain of certificate ( in the order of client, inter CA,  root CA cert). But when checked in the header ssl-client-cert only the client cert is being added and interCA and rootCA are discarded.
+I'm trying a setup where the client cert auth is enabled to optional_no_ca, and when the curl is initiated with client cert which is the chain of certificate ( in the order of client, inter CA,  root CA cert). But when checked in the header ssl-client-cert only the client cert is being added and interCA and rootCA are discarded.
 Is is supported by Nginx and if so yes is there any documentation on the same?
+here is the trimmed version of nginx
+```
+        ssl_certificate     instance3.pem;
+        ssl_certificate_key instance3.pem;
+        ...
+        server {
+                ...
+                ssl_client_certificate                  ca-pg-ca.pem;
+                ssl_verify_client                       optional_no_ca;
+                ssl_verify_depth                        4;
+                location ~* "^/" {
+                        ...
+                        client_max_body_size                    1m;
+                        proxy_set_header Host                   $best_http_host;
+                        # Pass the extracted client certificate to the backend
+                        proxy_set_header ssl-client-cert        $ssl_client_escaped_cert;
+                        proxy_set_header ssl-client-verify      $ssl_client_verify;
+                        proxy_set_header ssl-client-subject-dn  $ssl_client_s_dn;
+                        proxy_set_header ssl-client-issuer-dn   $ssl_client_i_dn;
+                        # Allow websocket connections
+                        proxy_set_header                        Upgrade           $http_upgrade;
+                        proxy_set_header                        Connection        $connection_upgrade;
+                        proxy_set_header X-Request-ID           $req_id;
+                        proxy_set_header X-Real-IP              $remote_addr;
+                        proxy_set_header X-Forwarded-For        $remote_addr;
+                        proxy_set_header X-Forwarded-Host       $best_http_host;
+                        proxy_connect_timeout                   5s;
+                        proxy_send_timeout                      60s;
+                        proxy_read_timeout                      60s;
+                        proxy_buffering                         off;
+                        proxy_buffer_size                       4k;
+                        proxy_buffers                           4 4k;
+                        proxy_max_temp_file_size                1024m;
+                        proxy_request_buffering                 on;
+                        proxy_http_version                      1.1;
+                        proxy_cookie_domain                     off;
+                        proxy_cookie_path                       off;
+                        proxy_redirect  off;
+                }
+        }
+```
+* instance3.pem contains the server cert and key in the pem format.
+* ca-pg-ca.pem contains only rootCa cert required for the client cert auth.