We have the setup with Kong API gateway (that runs NGINX on the background) where one of the upstream is an apache server where we want to do a client certificate validation.
I'm running my tests with curl where I request kong(nginx) and he forwards the request to apache. I'm using curl --cert cert.crt --key key.key "https://kongurl.com/blabla"
On nginx side, I've set a custom log to see if the certificate (at least the serial) is coming and I can see it:
log_format combined_sslclient '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$ssl_client_s_dn($ssl_client_serial)"';
access_log log/access.log combined_sslclient;
Then I see this on log/access.log:
123.123.123.123 - - [01/Oct/2020:15:52:33 +0200] "GET /my/custom/path HTTP/1.1" 204 0 "-" "curl/7.68.0" "CN=CERT_CN,OU=CERT_OU,O=CERT_O,C=CERT_C(CERT_SERIAL_NUMBER)"
Then on NGINX I have these ssl properties too:
server {
...
proxy_set_header X-SSL-CERT $ssl_client_serial;
ssl_verify_client on;
...
}
Then on the apache side, I setup the forensics module to read all the headers from incoming requests, and I can only see other stuff... and not the X-SSL-CERT. Here is the log from forensics on the apache side:
+289:5f75df21:1|GET /my/custom/path HTTP/1.1|Host:mykonghost%3a8412|Connection:keep-alive|X-Forwarded-For:10.1.1.1|X-Forwarded-Proto:https|X-Forwarded-Host:mykonghost|X-Forwarded-Port:8443|X-Real-IP:10.1.1.1|User-Agent:curl/7.68.0|Accept:*/*|X-Consumer-ID:d853e4d0-f8f1-4dcf-8fa7-58d3b2c67ee0|X-Consumer-Username:anonymous|X-Consumer-Custom-ID:nil|X-Anonymous-Consumer:true
-289:5f75df21:1
So as you can see... some other headers comes through, but not the stuff about the certificate.
I've already tried to send different nginx ssl variables and so far no luck... anything that I'm missing ?
Update:
Looks like the problem is not even the certificate variable... I changed nginx to:
proxy_set_header HTTP_X_TESTING 'bar';
And I still can't see it on apache side
