Configuring X509 Authenticator in WSO2 IS when NGINX fronting with SSL Tunneling
What is SSL Tunneling?
The client communicate with web server directly without any intervention from NGINX through the SSL tunnel that has been established. This is called SSL Tunneling. Here the the request from the client won’t be decrypted by the NGINX.
To work with X509 Authenticator in WSO2 Identity Server, this SSL tunneling can be implemented in NGINX. So the X509 Certificate of the client will be directly passed to the Identity Server without the intervention of NGINX.
SSL Tunneling is different from SSL Termination (also known as SSL Bridging). SSL bridging enables NGINX to encrypt or decrypt client requests when passing the request to a Identity Server.
To configure X509Authenticator with SSL Tunneling using NGINX, you have to follow the following steps:
- Configuring NGINX sor SSL tunneling
- Configuring proxy ports in IS
- Change the authentication SAML endpoint in travelocity sample
- Configuring X509 Authenticator for WSO2 Identity Server
Let’s see these steps in detail
1. Configuring NGINX 1.15.8 for SSL tunneling
- Create a directory called “conf.d” inside /usr/local/etc/nginx/
- Create a configuration file lb inside /usr/local/etc/nginx/conf.d/
- Add the following stream block inside /usr/local/etc/nginx/conf.d/lb configuration file
stream {
upstream web_server {
server localhost:9443;
} server {
listen 443;
proxy_pass web_server;
}
}
4. Include this lb configuration file /usr/local/etc/nginx/nginx.conf outside the http block
#user nobody;worker_processes 1;#pid logs/nginx.pid;events {worker_connections 1024;}http {}include /usr/local/etc/nginx/conf.d/lb;
2. Configuring the Proxy Port in IS nodes
By default, WSO2 Identity Server runs on 9443 port. The following steps describe how you can configure a proxy port of 443.
- Open <wso2is-5.3.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, you must do this configuration. Use this document.
3. Change the authentication endpoint in travelocity sample
Since the nginx listens to port 4443, we need to change authentication endpoint in client side.
- Go to travelocity properties in the directory <Catalina_Home>/Webapps/travelocity.com/WEB-INF/classes/
Change the SAML2.IdP URL as https://localhost:443/samlsso
4. Configuring X509 Authenticator for WSO2 Identity Server
Follow the steps mentioned in this blog
Now you have configured X509 Authenticator for WSO2 IS through SSL tunneling with NGINX!
