Setting up an nginx as a Proxy for EJBCA CE

[MRLeflei]

Hi I have been pulling my hair to get this to work in openshift, but I was not able so I opted for an nginx proxy infront of the ejbca container.

My goal is:

Display EJBCA RA Web and adminweb at https://pki.company.com/ with a certificate from another CA
Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
Require a client SSL certificate when accessing https://pki.company.local/adminweb/ (this is the default - managementCA superadmin cert)
Still answer to requests on https://pki.company.local/ejbca/*
With the current conf using nginx I'm able to terminate SSL in nginx and in firefox I get the notification to use the superadmin cert.... but then it stops.

So it is almost working but something is missing, maybe the requests are not been sent back to the client?

---nginx.conf---

events {

}

http {
server {

HTTP server för inkommande trafik

listen 8080;
server_name pki.company.com;

location / {
    proxy_pass                              http://ejbca:8080/;
    proxy_set_header Host                   $http_host;
    proxy_set_header X-Real-IP              $remote_addr;
    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto      $scheme;
}

}

server {
# HTTPS server med klientcertifikatsvalidering
listen 8443 ssl;
server_name pki.company.com;

# SSL-serverns egna certifikat och nyckel
ssl_certificate     /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;

# Använd ManagementCA för att verifiera klientcertifikat
ssl_client_certificate /etc/nginx/managementca/managementca.crt;
ssl_trusted_certificate /etc/nginx/managementca/managementca.crt;
ssl_verify_client on;

# Proxy-inställningar för HTTPS
location / {
    proxy_pass                              https://ejbca:8443/;
    proxy_ssl_verify                        off;
    proxy_ssl_server_name                   on;
    proxy_set_header Host                   $http_host;
    proxy_set_header X-Real-IP              $remote_addr;
    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    ####ny nedan###
    #proxy_set_header VERIFIED              $ssl_client_verify; 
    #proxy_set_header DN                    $ssl_client_s_dn;
    proxy_set_header X-Forwarded-Proto      $scheme;
    proxy_set_header SSL_CLIENT_CERT        $ssl_client_cert;
}

}
}

[primetomas]

Did you check the tutorial videos related to Kubernetes, Helm charts and other on our Youtube channel?
https://www.youtube.com/KeyfactorCommunity
Most of the tutorial documentation is also here: https://docs.keyfactor.com/ejbca/latest/tutorials-and-guides

[MRLeflei]

Yepp.... but the kubernets is not directly applicble to openshift. Anyway I got a bit closer and was able to deploy ejbca with PROXY_HTTP_BIND but that causes the ManagementCA not to be created. So when I create the management CA and download the superadmin CA and try to remove the public access I get "Authorization Denied Cause: Granted access of the current administrator might be affected by this change."

[MRLeflei]

Solved it... If anyone else i looking: This is the final nginx conf that worked:

server {
# HTTPS server med klientcertifikatsvalidering
listen 8443 ssl;
#server_name pki.systest.spv.se;

    # SSL-serverns egna certifikat och nyckel
    ssl_certificate     /etc/nginx/ssl/tls.crt;
    ssl_certificate_key /etc/nginx/ssl/tls.key;

    # Använd ManagementCA för att verifiera klientcertifikat
    ssl_client_certificate /etc/nginx/managementca/managementca.crt;
    ssl_trusted_certificate /etc/nginx/managementca/managementca.crt;
    ssl_verify_client optional_no_ca;
	ssl_verify_depth 1;
	
    # Proxy-inställningar för HTTPS
    location / {
        proxy_pass                              http://ejbca-ce:8082/;
		proxy_set_header Upgrade                $http_upgrade;
        proxy_set_header Connection             "upgrade";
        proxy_set_header Host                   $host;
        proxy_http_version                      1.1;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header SSL_CLIENT_CERT        $ssl_client_cert;
		proxy_set_header X-SSL-CERT             $ssl_client_escaped_cert;
    }

[primetomas]

Awesome. What was the final piece? I always though SSL_CLIENT_CERT but I see X-SSL-CERT here as well.
EJBCA itself only does a getCertificate, from the Java HTTPRequest, which is populated by the application server, i.e. WildFly who in turn gets it from NGinx.