cfdreddbot
commented
5 years ago :white_check_mark: Hey metron2! The commit authors and yourself have already signed the CLA.
Closed metron2 closed 5 years ago
cfdreddbot
commented
5 years ago :white_check_mark: Hey metron2! The commit authors and yourself have already signed the CLA.
nebhale
commented
5 years ago Who populates X-Forwarded-Client-Cert-Url? That doesn't seem to be a well-known header anywhere.
metron2
commented
5 years ago Since Nginx 1.13, they prefer a URI encoding for client certificates using the variable $ssl_client_escaped_cert. When using NGINX as the load balancer for cloud foundry, you use
proxy_set_header X-Forwarded-Client-Cert-Uri $ssl_client_escaped_cert
Probably be better to make the encoding optional and use the well known header, or to add a second header that let's the buildpack know about the encoding? I'm open to suggestions.
nebhale
commented
5 years ago What about sticking with the well-known header (X-Forwarded-Client-Cert) and trying both styles (if one doesn't work, try the other)? I'm generally loath to force external configuration to conform to the expectations of applications; I think the responsibility flows the other direction.
nebhale
commented
5 years ago Great work! Thanks for the contribution and it'll go out in the next version of the Java Buildpack.
See https://blog.haraschak.com/nginx-user-certificate-authentication/
This is mostly a vsphere support issue where NGINX is used in front of the gorouters. It URIEncodes the PEM file before sending it in a request header.