Reverse Proxy Advanced Topics
[ 94 ]The preceding configuration is constructed out of the following parts to achieve the
objective of having NGINX validate client SSL certificates before passing the request
on to the upstream server:
- The argument to the ssl_client_certificate directive specifies the path
to the PEM-encoded list of root CA certificates that will be considered valid
signers of client certificates. - The ssl_crl argument indicates the path to a certificate revocation list, issued
by the Certificate Authority responsible for signing client certificates. This CRL
needs to be downloaded separately and periodically refreshed. - The ssl_verify_client directive states that we want NGINX to check the
validity of SSL certificates presented by clients. - The ssl_verify_depth directive is responsible for how many signers will
be checked before declaring the certificate invalid. SSL certificates may
be signed by one or more intermediate CAs. Either an intermediate CA
certificate or the root CA that signed it needs to be in our sslclient
certificate path for NGINX to consider the client certificate valid. - If some sort of error occurred during client certificate validation, NGINX
will return the non-standard error code 495. We have defined an error_page
that matches this code and redirects the request to a named location, to be
handled by a separate proxied server. We also include a check for the value
of $ssl_client_verify within the proxy_pass location, so that an invalid
certificate will also return this code. - If a certificate is not valid, NGINX will return the non-standard error
code 496, which we capture as well with an error_page directive.
The error_page directive that we define points to a named location,
which proxies the request to a separate error handler.
Only when the client has presented a valid SSL certificate will NGINX pass the
request on to the upstream server, secured. By doing so, we have ensured that
only authenticated users actually get to place requests to the upstream server.
This is an important security feature of a reverse proxy.
NGINX from Version 1.3.7 provides the capability to use OCSP
responders to verify client SSL certificates. See the ssl_stapling*
and ssl_trusted_certificate directives in Appendix A, Directive
Reference, for a description of how to activate this functionality.