Masterzen’s Blog
Journey in a software world…
New SSL features for Nginx
Author: masterzen21 Jul
As a Puppet Mongrel Nginx user, I’m really ashamed about the convoluted nginx configuration needed (two server blocks listening on different ports, you need to direct your clients CA interactions to the second port with –ca_port), and the lack of support of proper CRL verification.
If you are like me, then there is some hope in this blog post.
Last week-end, I did some intense Puppet hacking (certainly more news about this soon), and part of this work is two Nginx patch:
- The first one adds support for ssl_client_verify optional. In this mode nginx accepts a client without a certificate, and of course accepts a client as long as it verifies against the CA certificate.
- The second patch adds support for CRL PEM files (the one we usually deploy in Puppet).
Installation
First, download both patches:
Then apply them to Nginx (tested on 0.7.59):
$ cd nginx-0.7.59 $ patch -p1 < ../0001-Support-ssl_client_verify-optional-and-ssl_client_v.patch $ patch -p1 < ../0002-Add-SSL-CRL-verifications.patch
Then build Nginx as usual.
Usage
Here is a revised Puppet Nginx Mongrel configuration:
upstream puppet-production {
server 127.0.0.1:18140;
server 127.0.0.1:18141;
}
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
# allow authenticated and client without certs
ssl_verify_client optional;
# obey to the Puppet CRL
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
root /var/tmp;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}
Reload nginx, and enjoy 
Masterzen's Pictures
Qualification Round Ticket to Ride World Championship 2010
masterzen's photo
Patrick (NL), grand winner! Ticket to Ride World Championship...
Ticket to Ride World Championship 2010
masterzen's photo
Krystian (PL) Ticket to Ride World Championship 2010
masterzen's photo
Ticket to Ride World Championship 2010
2 Responses for "New SSL features for Nginx"
Thank you for these excellent patches! Have you gotten this to work with Passenger? I am having trouble setting the request headers before Passenger picks up the request, so every machine is handed my puppetmaster machine’s config!
Hi, masterzen! I got an error when complier nginx, how to fix that problem?
cc1: warnings being treated as errors
src/event/ngx_event_openssl.c: In function ‘ngx_ssl_crl’:
src/event/ngx_event_openssl.c:294: warning: pointer targets in passing argument 3 of ‘X509_LOOKUP_ctrl’ differ in signedness
make[1]: *** [objs/src/event/ngx_event_openssl.o] Error 1
make[1]: Leaving directory `/root/nginx-0.7.59′
make: *** [build] Error 2
Leave a reply