Welcome! Log In Create A New Profile

Advanced

Reverse Proxy Prompt for Client Certificate?

Posted by mevans336 
mevans336
Reverse Proxy Prompt for Client Certificate?
July 03, 2018 03:30PM
I am trying to set up a reverse proxy to the Windows Admin Center (WAC). The
WAC requires the use of a client certificate for authentication. When I log
into the WAC via https://localhost:6516 or https://192.168.0.100:6516 I am
prompted for the certificate and everything works fine. If I attempt to log
in from outside my network across the WAN, I simply receive a 403 without
being prompted for the certificate.

Microsoft says if you don't get the certificate prompt or choose the wrong
one, you will get the 403, so I think something with my nginx reverse proxy
config needs to be set to pass the certificate request through?

Here is the relevant config ... I started with nothing but a bare proxy_pass
and have added the rest of the directives on as I was trying to get it
working.

location /winac {
proxy_pass
https://192.168.0.100:6516;
proxy_ssl_verify off;
proxy_set_header X-SSL-CERT
$ssl_client_escaped_cert;
proxy_set_header X-SSL-CERT
$ssl_client_cert;
proxy_pass_request_headers on;
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280385,280385#msg-280385

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Stanway
Re: Reverse Proxy Prompt for Client Certificate?
July 03, 2018 05:30PM
I don't think this is possible. By the time you know the client wishes to
request the /winac location, the SSL session has already been established,
at which point the server can no longer send a ClientCertificateRequest.

Using the stream module to proxy the whole connection may work, but
obviously this prevents changing functionality at the HTTP level.
http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html

On Tue, Jul 3, 2018 at 3:24 PM mevans336 <[email protected]>
wrote:

> I am trying to set up a reverse proxy to the Windows Admin Center (WAC).
> The
> WAC requires the use of a client certificate for authentication. When I log
> into the WAC via https://localhost:6516 or https://192.168.0.100:6516 I am
> prompted for the certificate and everything works fine. If I attempt to log
> in from outside my network across the WAN, I simply receive a 403 without
> being prompted for the certificate.
>
> Microsoft says if you don't get the certificate prompt or choose the wrong
> one, you will get the 403, so I think something with my nginx reverse proxy
> config needs to be set to pass the certificate request through?
>
> Here is the relevant config ... I started with nothing but a bare
> proxy_pass
> and have added the rest of the directives on as I was trying to get it
> working.
>
> location /winac {
> proxy_pass
> https://192.168.0.100:6516;
> proxy_ssl_verify off;
> proxy_set_header X-SSL-CERT
> $ssl_client_escaped_cert;
> proxy_set_header X-SSL-CERT
> $ssl_client_cert;
> proxy_pass_request_headers on;
> }
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,280385,280385#msg-280385
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
mevans336
Re: Reverse Proxy Prompt for Client Certificate?
July 03, 2018 06:20PM
Kemp can do it:
https://www.tech-coffee.net/deploy-windows-admin-center-in-ha-through-kemp-load-balancer/

I can give the stream module a shot also.

Would this be a basic config to get me started?

stream {
listen 443
proxy_pass https://192.168.1.0:6516/
proxy_ssl_verify off;
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280385,280393#msg-280393

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login