How to access tls related variables in 4.18.x

API-Evangelist · 06-06-2019 04:12 PM

We want to extract tls related variables in onprem OPDK 4.18.x. We have enabled 2-way ssl and configured VH but the properties are not valid in 4.18.x.

We need to capture incoming request and capture below tls variables and having issues as they are not recognized/result in empty values.

tls.client.raw.cert
tls.client.cert.serial
tls.client.cert.fingerprint

Below document only refers to latest version and we need a work around. This is a key need for our psd2 obie requirements.

https://docs.apigee.com/api-platform/system-administration/tls-vars

Saw below article but want confirmation if we can use and fetch those varaibles.

https://community.apigee.com/articles/39667/how-to-customize-nginx-settings-by-virtualhost.html

Thankyou.

API-Evangelist

@Dino-at-Google

Can you please help guide us for lower versions(<4.19) as how can we extract the tls cert related information?

ylesyuk

Hi Vinay,

You can use the article you quoted to configure variables from this list

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

to propagate them to the proxy context.

Note: Step performed on 18.01, but should work for any version of OPDK.

Set the property like this:

conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;

in the /opt/apigee/customer/application/router.properties

restart router

apigee-service edge-router restart

file /opt/apigee/edge-router/conf/load_balancing.properties will contain this line:

cat /opt/apigee/edge-router/conf/load_balancing.properties |grep raw_

\n                proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;\

and your /opt/nginx/conf.d/*.conf org/env/secure file(s) will contain:

cat org_dev_secure.conf |grep raw

                proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;

Execute a request with a client key and certificate and it will populate a header variable

X-Tls.ssl_client_raw_cert.

API-Evangelist

Added below in router.properties

conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra1=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;

but it doesn't populate variable..tried both and it shows empty.

X-Tls.ssl_client_raw_cert and request.header.X-Tls.ssl_client_raw_cert

Any changes we need to add in in custom-config.conf

file?

==

Tried adding

vi /opt/nginx/vh.customer/test.dev.test1/custom-config.conf
ssl_client_raw_cert;

test1 is the vh which is 2-way ssl enabled..

but see no difference

Thanks

ylesyuk

Sorry, I made a typo: it should be extra2 instead of extra1.

I corrected the answer and added interim steps to verify the configuration process.

James_wang

Hello,

thanks for your information. may I know when do we use extra2, and when do we use extra1? cause I see your answer and below two, All three are used, but you also mentioned that it seems that the number is influential. May I ask when we use no digits and when extra1 or 2? Is there any document for reference?
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/How-to-customize-NGinx-settings-by-Vi...
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/How-to-configure-NGinx-with-special-d...

For example, if I want to configuration nginx to forward $ssl_client_v_start

by proxy_set_header. Should I add below configuration in router.properties? thank you.

conf_load_balancing_load.balancing.driver.nginx.server.ssl.template.extra2=proxy_set_header...?

API-Evangelist

Thankyou for the details..

How to fetch mutliple values? Added below and doesn't seems to work.Did you test and validate?

conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_fingerprint $ssl_client_fingerprint;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_serial $ssl_client_serial;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_v_start $ssl_client_v_start;
conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_v_end $ssl_client_v_end;

API-Evangelist

Observation is if we add more entries looks like it honor's last entry.

Any suggestion?

ylesyuk

Catenate them into a single string. Property

conf_load_balancing_load.balancing.driver.nginx.server.ssl2way.template.extra2=proxy_set_header X-Tls.ssl_client_raw_cert $ssl_client_raw_cert;proxy_set_header X-Tls.ssl_client_fingerprint $ssl_client_fingerprint;<br><br><br>

Returns/puts on Context:

< X-Tls.ssl_client_raw_cert: -----BEGIN CERTIFICATE-----MII...mnuB-----END CERTIFICATE-----
< X-Tls.ssl_client_fingerprint: 53bb54c90ff8b1f432a53e253ba115f72bfcba5f
< User-Agent: curl/7.29.0
< Accept: */*

Saying that, in this particular use case, if you plan to use the x509/psd2 callout, you will have those values returned from it anyway.