Uniquely identifying clients with client-side SSL

Question

In the following scenario,

[client]---https--->[Nginx]---http--->[app server]

How (and what) would I pass down to the app server to uniquely identify the certificate? That is, Nginx validates the certificate, but app server doesn't see it. I need to distinguish between users at the app server, so they can't impersonate each other.

Answer 1

You could adapt the same technique as what's described in this question for Apache Httpd. You'd need the Nginx equivalent of something like:

RequestHeader set X-ClientCert ""
RequestHeader set X-ClientCert "%{SSL_CLIENT_CERT}s"

I haven't tried, but the documentation for the Nginx SSL module has a section about "Embedded Variables". More specifically:

$ssl_client_cert returns the client certificate in the PEM format for an established SSL connection, with each line except the first prepended with the tab character; this is intended for the use in the proxy_set_header directive;

This looks like what you need with a reverse-proxy setting, like the one you have.

Note that it's very important to clear this header on its way in, otherwise clients could just set the headers themselves and use any certificate they like.

How you then want to check this in your application server depends on the platform you're using. In Java, for example, you could write a Filter (or a Tomcat Valve) that sets the parameter in the request from this custom HTTP header.