0

I would like so use Nginx as frontend SSL proxy with Letsencrypt certificates and also limit client access to certain backend servers with other (self-signed) certificate. I cannot use Letsencrypt for both since it does not offer client certificates. How can I use two different certificate chains, Letsencrypt for securing traffic and self-signed for client authentication? I have read that in Nginx v1.11 ssl_certificate directive can be specified multiple times and I tried this configuration below, but browser refused to connect. I suspect this is because wrong chain is being presented to browser.

server {
    listen              443 ssl;

    server_name         <frontend>;
    include             snippets/letsencrypt.conf; # <=== Letsencrypt certs
    include             snippets/ssl-params.conf;

    # Mandatory certificate request setup, self-signed certs
    ssl_certificate         /etc/nginx/certs/server.crt;
    ssl_certificate_key     /etc/nginx/certs/server_np.key;
    ssl_client_certificate  /etc/nginx/certs/ca.crt;
    ssl_verify_client       on;


    location /secret {
        proxy_pass      http://192.168.122.100:80/secret;
        proxy_redirect      http://192.168.122.100:80/secret https://<frontend>/secret;
        proxy_set_header    X-Real-IP  $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
        proxy_set_header    X-Forwarded-Port 443;
        proxy_set_header    Host $host;
    }
}
shpokas
  • 131
  • 5
  • I don't think this will work. Even if you can specify multiple certs in `nginx`, only one will be used for the connection, either the LetsEncrypt one or your self-signed certificate. – Sven Feb 24 '17 at 11:54
  • I've not tried it, but `ssl_certificate` should be the bundle from LetsEnrypt while `ssl_client_certificate` is the trust-anchor (or Root CA certificate) of your private CA. – garethTheRed Feb 24 '17 at 12:53

1 Answers1

2

@Sven: Actually, the proposed configuration works. @garethTheRed: yes, you are right, ssl_certificate and ssl_client_certificate are unrelated

Full working configuration.

server {
    listen                  443 ssl;

    server_name             <frontend>;
    include                 snippets/ssl-params.conf;

    ssl_certificate         /etc/nginx/certs/letsencrypt_fullchain.crt;
    ssl_certificate_key     /etc/nginx/certs/letsencrypt.key;

    # Mandatory certificate request setup, self-signed certs
    ssl_client_certificate  /etc/nginx/certs/ca_to_verify_agains_not-not_letsencrypt.crt;
    ssl_crl                 /etc/nginx/certs/ca_to_verify_agains_not-not_letsencrypt.crl;
    ssl_verify_client       on;

    location /secret {
        proxy_pass          http://192.168.122.100:80/secret;
        proxy_redirect      http://192.168.122.100:80/secret https://<frontend>/secret;
        proxy_set_header    X-Real-IP  $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
        proxy_set_header    X-Forwarded-Port 443;
        proxy_set_header    Host $host;
    }
}
shpokas
  • 131
  • 5