We want to extract tls related variables in onprem OPDK 4.18.x. We have enabled 2-way ssl and configured VH but the properties are not valid in 4.18.x.
We need to capture incoming request and capture below tls variables and having issues as they are not recognized/result in empty values.
tls.client.raw.cert
tls.client.cert.serial
tls.client.cert.fingerprint
Below document only refers to latest version and we need a work around. This is a key need for our psd2 obie requirements.
https://docs.apigee.com/api-platform/system-administration/tls-vars
Saw below article but want confirmation if we can use and fetch those varaibles.
https://community.apigee.com/articles/39667/how-to-customize-nginx-settings-by-virtualhost.html
Thankyou.
Hi Vinay,
You can use the article you quoted to configure variables from this list
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
to propagate them to the proxy context.
Note: Step performed on 18.01, but should work for any version of OPDK.
Set the property like this:
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;
in the /opt/apigee/customer/application/router.properties
restart router
apigee-service edge-router restart
file /opt/apigee/edge-router/conf/load_balancing.properties will contain this line:
cat /opt/apigee/edge-router/conf/load_balancing.properties |grep raw_ \n proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;\
and your /opt/nginx/conf.d/*.conf org/env/secure file(s) will contain:
cat org_dev_secure.conf |grep raw proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;
Execute a request with a client key and certificate and it will populate a header variable
X-Tls.ssl_client_raw_cert.
Added below in router.properties
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra1=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;
but it doesn't populate variable..tried both and it shows empty.
X-Tls.ssl_client_raw_cert and request.header.X-Tls.ssl_client_raw_cert
Any changes we need to add in in custom-config.conf
file?
==
Tried adding
vi /opt/nginx/vh.customer/test.dev.test1/custom-config.conf
ssl_client_raw_cert;
test1 is the vh which is 2-way ssl enabled..
but see no difference
Thanks
Sorry, I made a typo: it should be extra2 instead of extra1.
I corrected the answer and added interim steps to verify the configuration process.
Hello,
thanks for your information. may I know when do we use extra2, and when do we use extra1? cause I see your answer and below two, All three are used, but you also mentioned that it seems that the number is influential. May I ask when we use no digits and when extra1 or 2? Is there any document for reference?
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/How-to-customize-NGinx-settings-by-Vi...
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/How-to-configure-NGinx-with-special-d...
For example, if I want to configuration nginx to forward $ssl_client_v_start
by proxy_set_header. Should I add below configuration in router.properties? thank you.
Thankyou for the details..
How to fetch mutliple values? Added below and doesn't seems to work.Did you test and validate?
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_fingerprint $ssl_client_fingerprint;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_serial $ssl_client_serial;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_v_start $ssl_client_v_start;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_v_end $ssl_client_v_end;
Observation is if we add more entries looks like it honor's last entry.
Any suggestion?
Catenate them into a single string. Property
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;proxy_set_header X-Tls.ssl_client_fingerprint $ssl_client_fingerprint;<br><br><br>
Returns/puts on Context:
< X-Tls.ssl_client_raw_cert: -----BEGIN CERTIFICATE-----MII...mnuB-----END CERTIFICATE----- < X-Tls.ssl_client_fingerprint: 53bb54c90ff8b1f432a53e253ba115f72bfcba5f < User-Agent: curl/7.29.0 < Accept: */*
Saying that, in this particular use case, if you plan to use the x509/psd2 callout, you will have those values returned from it anyway.