I don't think this is possible. By the time you know the client wishes to request the /winac location, the SSL session has already been established, at which point the server can no longer send a ClientCertificateRequest.
Using the stream module to proxy the whole connection may work, but obviously this prevents changing functionality at the HTTP level. http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html On Tue, Jul 3, 2018 at 3:24 PM mevans336 <nginx-fo...@forum.nginx.org> wrote: > I am trying to set up a reverse proxy to the Windows Admin Center (WAC). > The > WAC requires the use of a client certificate for authentication. When I log > into the WAC via https://localhost:6516 or https://192.168.0.100:6516 I am > prompted for the certificate and everything works fine. If I attempt to log > in from outside my network across the WAN, I simply receive a 403 without > being prompted for the certificate. > > Microsoft says if you don't get the certificate prompt or choose the wrong > one, you will get the 403, so I think something with my nginx reverse proxy > config needs to be set to pass the certificate request through? > > Here is the relevant config ... I started with nothing but a bare > proxy_pass > and have added the rest of the directives on as I was trying to get it > working. > > location /winac { > proxy_pass > https://192.168.0.100:6516; > proxy_ssl_verify off; > proxy_set_header X-SSL-CERT > $ssl_client_escaped_cert; > proxy_set_header X-SSL-CERT > $ssl_client_cert; > proxy_pass_request_headers on; > } > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,280385,280385#msg-280385 > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
