Reverse Proxy Advanced Topics
[ 92 ]SSL ciphers
The preceding ciphers were chosen based on NGINX's default,
which excludes those that offer no authentication (aNULL) as
well as those using MD5. The RC4 is placed at the beginning
so that ciphers not susceptible to the BEAST attack described
in CVE-2011-3389 are preferred. The @STRENGTH string at
the end is present to sort the list of ciphers in order of the
encryption algorithm key length.We have just encrypted the traffic passing between the client and the reverse
proxy. It is also possible to encrypt the traffic between the reverse proxy and
the upstream server:
server {proxy_pass https://upstream;}This is usually only reserved for those architectures in which even the internal
network over which such a connection flows is considered insecure.
Authenticating clients using SSL
Some applications use information from the SSL certificate the client presents,
but this information is not directly available in a reverse proxy architecture.
To pass this information along to the application, you can instruct NGINX to
set an additional header:
location /ssl {proxy_set_header ssl_client_cert $ssl_client_cert;proxy_pass http://upstream;}The $ssl_client_cert variable contains the client's SSL certificate, in PEM format.
We pass this on to the upstream server in a header of the same name. The application
itself is then responsible for using this information in whatever way is appropriate.