I am using a setup wherein a chain certificate(Root CA Cert-> Intermediate CA Cert -> Client Cert) is being sent to the Nginx. I need to configure Nginx in such a way that it forwards the entire certificate chain to the middleware. Right now, it is just sending the leaf certificate i.e. client certificate.
I found the following options from the Nginx’s documentation (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate)
1- $ssl_client_escaped_cert
2- $ssl_client_cert
None of the above returns the full certificate chain.
Is anyone aware if there is such an option available ?
2
Answers
This seems to be impossible by design – see https://serverfault.com/questions/576965/nginx-proxy-pass-with-a-backend-requesting-client-certificates
The usage of
$ssl_client_escaped_cert(as explained in https://clairekeum.wordpress.com/2018/12/05/passing-client-cert-through-nginx-to-the-backend/) seems to be your only option.This may not be a complete answer, but thought I’d post some resources that may give you a couple of ideas.
If you want the client cert details downstream, then one option is to avoid terminating Mutual TLS in nginx by using the stream module. Here is an example:
In this setup there are 2 Mutual TLS connections being routed via nginx:
Note that this uses a LUA plugin and the
ssl_client_raw_certproperty to do the extra work of calculating a SHA256 thumbprint, which NGINX itself does not support.Generally though it makes sense to externalise Mutual TLS plumbing from application level components, as in the above example. Eg you can forward
ssl_client_eacaped_certto your middleware, but perhaps nginx should do the more detailed work of checking issuers.