Thanks Lukas! Guess I have to patch Nginx to use client certificates with
upstream servers.
Any suggestion as to a good place to start? I'm looking to
nix_http_upstream.c and gnx_event_openssl.c
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,247305,247433#msg-247433
___
>
> you are using client certificates, which is way you need a certificate
> + key
> on the nginx side to connect to upstream https.
>
I am using client certificates on nginx side to connect to upstream https.
Issues is when I turn on client verification on upstream server, nginx
doesn't provid
Hello!
> The only thing you can specify is ssl_client_certificate (and
> ssl_client_certificate_key), and it is used only in connections
> with clients.
>
Following Nginx docs
(http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) you
can specify ssl_certificate_key and ssl_ce
itpp2012 Wrote:
---
> > I've heard that stunned does not scale very well. I'm looking at
> > managing a lot of simultaneous ssl connections hence using Nginx.
>
> You can loadbalance them, even create a pool for one worker with Lua
> and expand t
tbamise Wrote:
---
> >
> > Connections to upstream servers don't use any client certificates.
> >
>
> Yes I agree. The connection to the upstream server uses the nginx
> server certificates specified by $ssl_
itpp2012 Wrote:
---
> tbamise Wrote:
> ---
> > Is it possible to use a different set of certs for the client side
> and
> > another set for the upstream server side?
&
>
> Connections to upstream servers don't use any client certificates.
>
Yes I agree. The connection to the upstream server uses the nginx server
certificates specified by $ssl_certificate(_key).
Basically I want to use:
for downstream to client - a.cert & a.cert.key for connection to clients
fo
Is it possible to use a different set of certs for the client side and
another set for the upstream server side?
My use case is to have different sets of local ssl certs on Nginx. A
key/cert pair for communicating with clients and another set for
communicating with the upstream proxy.
Right now I
>> Patrick Lists wrote in post #1132735:
>>> On 09-01-14 22:48, Styopa Semenukha wrote:
Patrick,
It's not possible, because SSL works on lower level (session layer)
than HTTP
>>> (application layer).
>>>
>>> Thank you for your feedback. That's unfortunate. I hope to see flexible
>>>
