Is it possible to support verification of client certificates?

[bigboyq]

if add a new param to control whether check $ssl_client_verify, would be helpful authentication,
such as
proxy_connect_ssl_client_verify on/off; [default off]

if proxy_connect_ssl_client_verify on then check ssl_client_verify for each request, if failed, return 400, if successed, authenticated!

I think this function would be very helpful, thanks for considering.

[chobits]

Note that proxy_connect module does not parse the proxied tcp stream after CONNECT request.

Although it can be doable for ssl-client-verify if we think the proxied tcp stream is SSL protocol, but implementation is not easy. Current imeplementation is just proxing the raw stream, if we do ssl-client-veirfy, the proxy_connect module should do complete SSL handshake. And also you must have the server certificate and key of upstream peer, and configure it on proxy_connect module.

I think a good way is that upstream peer does ssl-client-verify. It is real consumer of the raw stream.

[bigboyq]

May be I have some misunderstanding....
For my consideration, ssl-client-verify happens on the TLS layer, before CONNECT method be procedured.
In my mind, CONNECT module only need to see the result of $ssl-client-verify, no much code work should be done.
I could describe one situation, which required this function
I have a nginx server, I could set

    ssl_verify_client 		optional;

IMPORTANT, ssl_verify_client is a configure item, $ssl-client-verify is a variable, which indicates whether cert verify be succeed.
In the connect module, I could check $ssl_client_verify, if equal to 'SUCCESS', I process the connect method, otherwise, return 400
In the location /.well_known/ no $ssl_client_verify check required, as .acme.sh could use this path to renew my certificate
In the Location /, $ssl_client_verify is required, if 'SUCCESS', proxy_pass works, otherwise, return 404;

[chobits]

Will check it later, please wait:)

[bigboyq]

Will check it later, please wait:)

Happy to wait

[chobits]

Hi, you can check $ssl_client_verify in lua (e.g. rewrite_by_lua handler of lua-nginx-module).

proxy_connect module can support lua-nginx-module, see following details:

[chobits]

In the location /.well_known/ no $ssl_client_verify check required, as .acme.sh could use this path to renew my certificate
In the Location /, $ssl_client_verify is required, if 'SUCCESS', proxy_pass works, otherwise, return 404;

Do you want proxy_connect module to check different location?
Proxy_connect module cannot get location (proxied request URI) info from raw tcp stream.

[bigboyq]

In the location /.well_known/ no $ssl_client_verify check required, as .acme.sh could use this path to renew my certificate
In the Location /, $ssl_client_verify is required, if 'SUCCESS', proxy_pass works, otherwise, return 404;

Do you want proxy_connect module to check different location?
Proxy_connect module cannot get location (proxied request URI) info from raw tcp stream.

I don't think connect module support location is a good idea, this function may made connect module more flexible but too heavy.
I think authentication support might be a useful enhancement, as authentication is quite common function.
Support $ssl_client_verify by lua may be a solution.
In my mind(neither right nor wrong), lua solution might be good, but authentication might be more common requirement, haha.
Anyway, wait your decision, if you decide to support, I wait. If not, I will try lua support:)

[chobits]

BTW, rewrite module still can work. For example configuration, it maybe:

if ($ssl_client_verify = "..." ) { return 400; }

[bigboyq]

$request_method =


just let you know

[bigboyq]

It seems that, CONNECT method has no location, if I am wrong, let me know
Outside location, you can not specify verification for CONNECT method
As a result, we can handle GET/POST with authentication process, but CONNECT, not.

[bigboyq]

Related configuration pasted here, I think you could understand :P

ssl_verify_client 		on;
#ssl_verify_client		optional;
server {
    	listen 443 ssl;	
	proxy_connect;
	proxy_connect_allow all;
	proxy_connect_connect_timeout  10s;
	proxy_connect_read_timeout     10s;
	proxy_connect_send_timeout     10s;
	if ($ssl_client_verify != "SUCCESS")
		{
	#		if ($request_method = CONNECT)	{return 400;}
		}
	location / {
		#if ($ssl_client_verify != "SUCCESS") {return 404;}
		proxy_pass http://$host;
		proxy_set_header Host $host;
	}
	location ^~ /.well-known/acme-challenge/ {
		alias /var/www/acme-challenge/;
	}
    }

[chobits]

For configuration failure, try this configuration:

        set $ssl_client_verify_connect "$request_method $ssl_client_verify";
        if ($ssl_client_verify_connect ~ "CONNECT FAILED") { return 401; }

---

It seems that, CONNECT method has no location

Yes, CONNECT request does not include URI. For details, see CONNECT-tunnel wiki.

[bigboyq]

Funny solution, Finally configuration is

	set $ssl_client_verify_connect "$request_method $ssl_client_verify";
	if ($ssl_client_verify_connect ~ "CONNECT FAILED") { return 401; }
	if ($ssl_client_verify_connect ~ "CONNECT NONE") { return 401; }