Various errors while configuring nginx for certificate-based client auth

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Various errors while configuring nginx for certificate-based client auth

satay
Hi guys,

I'm using nginx in form of container (docker.io/nginx), version
1.17.3-alpine
I'm trying to setup my nginx to do TLS auth and then forward packets to
another host in the network.
As part of this I also have to support some probes that continuously monitor
a secondary location, same server, same port.

This is my configuration

```
server {
  listen 443 ssl;
  server_name            mydomain.com;

  ssl_certificate        /etc/nginx/certs/tls.crt;
  ssl_certificate_key    /etc/nginx/certs/tls.key;

  ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
  ssl_verify_client      optional;
  ssl_verify_depth       2;

  location = /healthz {
    return 200 'the app is alive!';
  }

  location = / {
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }

    proxy_pass       <a href="http://other-host:8080;">http://other-host:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header SSL_Client $ssl_client_s_dn;
    proxy_set_header SSL_Client_Verify $ssl_client_verify;
  }
}
```

First of all, as soon as I load the configuration I get the following
error:

```
2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in
/etc/nginx/conf.d/mydomain.conf:36
nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
```

I find this if directive on any possible tutorial. I'm really not sure
what's wrong here...

Also, even if I remove the if clause (just to see if otherwise it would
work) I get another error:

```
2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in
"proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
nginx: [emerg] invalid number of arguments in "proxy_set_header" directive
in /etc/nginx/conf.d/mydomain.conf:41
```

Even after removing all the entire `location = /` block (to see if at least
the container starts and /healtz return 200), I still get the following
error:

```
2019/12/05 11:43:30 [error] 8#8: *90 open() "/etc/nginx/html/healtz" failed
(2: No such file or directory), client: 172.16.0.158, server: , request:
"GET /healtz HTTP/1.1", host: "mydomain.com"
172.16.0.158 - - [05/Dec/2019:11:43:30 +0000] "GET /healtz HTTP/1.1" 404 153
"-" "Wget" "-"
172.16.56.6 - - [05/Dec/2019:11:43:40 +0000] "GET / HTTP/1.1" 404 153 "-"
"-" "-"
```

Shouldn't the return directive (as written) simply return a 200 and the
message, even if a page is not present?

Sorry if I posted in the same thread three different issues... I just
thought it would have made sense to post them together.

Thank you,

-Luca

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286413,286413#msg-286413

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Various errors while configuring nginx for certificate-based client auth

Maxim Dounin
Hello!

On Thu, Dec 05, 2019 at 06:51:17AM -0500, lucaprete wrote:

> I'm using nginx in form of container (docker.io/nginx), version
> 1.17.3-alpine
> I'm trying to setup my nginx to do TLS auth and then forward packets to
> another host in the network.
> As part of this I also have to support some probes that continuously monitor
> a secondary location, same server, same port.
>
> This is my configuration
>
> ```
> server {
>   listen 443 ssl;
>   server_name            mydomain.com;
>
>   ssl_certificate        /etc/nginx/certs/tls.crt;
>   ssl_certificate_key    /etc/nginx/certs/tls.key;
>
>   ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
>   ssl_verify_client      optional;
>   ssl_verify_depth       2;
>
>   location = /healthz {
>     return 200 'the app is alive!';
>   }
>
>   location = / {
>     if ($ssl_client_verify != SUCCESS) {
>       return 403;
>     }
>
>     proxy_pass       <a href="http://other-host:8080;">http://other-host:8080;
>     proxy_set_header Host $host;
>     proxy_set_header X-Real-IP $remote_addr;
>     proxy_set_header SSL_Client $ssl_client_s_dn;
>     proxy_set_header SSL_Client_Verify $ssl_client_verify;
>   }
> }
> ```
>
> First of all, as soon as I load the configuration I get the following
> error:
>
> ```
> 2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in
> /etc/nginx/conf.d/mydomain.conf:36
> nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36
> ```
>
> I find this if directive on any possible tutorial. I'm really not sure
> what's wrong here...
>
> Also, even if I remove the if clause (just to see if otherwise it would
> work) I get another error:
>
> ```
> 2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in
> "proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
> nginx: [emerg] invalid number of arguments in "proxy_set_header" directive
> in /etc/nginx/conf.d/mydomain.conf:41
> ```

It looks like the configuration you are trying to put is passed
through shell variable expansion, resulting in a completely broken
configuration as seen by nginx.  That is,

>     if ($ssl_client_verify != SUCCESS) {

becomes

      if ( != SUCCESS) {

which would result in the error message you see, and

>     proxy_set_header Host $host;

results in

      proxy_set_header Host ;

which obviously have invalid number of aguments.  You have to find
where the configuration is broken and fix it.

[...]

> Sorry if I posted in the same thread three different issues... I just
> thought it would have made sense to post them together.

Sure.  Clearly this is just one issue with configuration
deployment.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Various errors while configuring nginx for certificate-based client auth

satay
You got it! :)

Some steps before I was using envsubst, which was also trying to substitute
the nginx variables.
Specifying what variables to substitute (i.e. envsubst '$ONLY_THIS_VAR' <
mydomain.com.conf) solved the issue.

Thank you!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286413,286416#msg-286416

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx