We have NGINX running on an EC2 instance behind an Application Load Balancer. We have configured our ALB to use mTLS with Passthrough (new feature on an ALB since Nov. 2023). Based upon the AWS documentation, the client cert will be passed through to NGINX on the header X-Amzn-Mtls-Clientcert. We have verified this as well.
Since the certificate is the X-Amzn-Mtls-Clientcert header, how do we configure NGINX to use that header to establish the mTLS connection?
Our current NGINX server config:
server {
error_log /var/log/nginx/error.log debug;
listen 443 ssl;
server_name ~abc.com;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/private/nginx.key;
ssl_verify_client on;
ssl_client_certificate /etc/ssl/client_certs/publicapi.crt;
ssl_verify_depth 1;
location /mtls-statuscheck {
access_log /var/log/nginx/access-mtls.log main;
return 200 "$ssl_client_verify - $http_Content_Type $http_User_Agent $http_X_Amzn_Mtls_Clientcert";
add_header Content-Type text/plain;
}
}
It seems like there should be two solutions (but I am new to NGINX):
- Configure NGINX to look at the X-Amzn-Mtls-Clientcert header for the client cert to establish the mTLS connection; or
- Add "something" to set the header that NGINX currently looks at for the client cert to the value of the X-Amzn-Mtls-Clientcert header
We have tried setting a header "ssl-client-cert" to the value of X-Amzn-Mtls-Clientcert in the server block, but that did not work.