diff --git a/certs/server.crt b/certs/server.crt new file mode 100644 index 0000000000..e20433552a --- /dev/null +++ b/certs/server.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExTCCA62gAwIBAgIUfLat+AulV/08NBkjBGc3SST07FkwDQYJKoZIhvcNAQEL +BQAwQTELMAkGA1UEBhMCUEgxCzAJBgNVBAoTAlBIMQswCQYDVQQLEwJQSDELMAkG +A1UECBMCUEgxCzAJBgNVBAcTAlBIMB4XDTI1MDYyNzE2NDQ0MFoXDTI2MDYyNzIy +NDQ0MFowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAvDgWhvaFH8c3hw1b9Cg+m9KTjlSmp/Z7/RT+WGhWJSLTiPLI +xtiKLuKXWt2fqzw+6BuSlN75ABkQVGelNlkD6MU8NjCmCA209vXbpYs6lVLGxg78 +kl5Qtt0dkmYI0gR32IGNeNn1h8jwNZ0wUiD86HxG6TODRtDdYcrzEsfDgC0BGdub +1E838YoOFeM4JOnb35Ub1UDovvqdmM6FjJJgKyV2J57+R4WjkdDLsfR+ABodfCDG +yOAJbbjAJOrCjVWTWlLUyqzYiwCvuZvY05dV6pYf66uYmYdrboAjcJZCTEbCSH7E +i7TvtETWl3bJIA4YosUlZhawj5mkc9R2JpcQZQIDAQABo4IB4DCCAdwwCQYDVR0T +BAIwADBiBgNVHR8EWzBZMFegVaBThlFodHRwczovL2FwcC5pbmZpc2ljYWwuY29t +L2FwaS92MS9wa2kvY3JsL2JhMzc1ODg4LWUyNmItNGZmMS04ZGNmLTJjYTdmOGQ0 +NWJkNS9kZXIwHwYDVR0jBBgwFoAUIBdB7m5bs/MAaQ3F6WJw76/a9EwwHQYDVR0O +BBYEFE7ZzdsLO1Mlltx6FrlMP0vvF+y5MIGiBggrBgEFBQcBAQSBlTCBkjCBjwYI +KwYBBQUHMAKGgYJodHRwczovL2FwcC5pbmZpc2ljYWwuY29tL2FwaS92MS9wa2kv +Y2EvYWJiNmE3MTktNGZiZC00MmQzLTlhYjItYWU0NTYwY2QyMDI1L2NlcnRpZmlj +YXRlcy8wMTQ3NzAyMi05ZjM0LTQyN2MtYTQ2My0wOWU3ZWIxMGZlNDIvZGVyMBEG +A1UdIAQKMAgwBgYEVR0gADAPBgNVHQ8BAf8EBQMDB/+AMEgGA1UdJQEB/wQ+MDwG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMJBggrBgEFBQcD +AQYIKwYBBQUHAwgwGAYDVR0RBBEwD4INbG9jYWxob3N0LmNvbTANBgkqhkiG9w0B +AQsFAAOCAQEAafz9KPgUYh90JNYrk7CVdt1Yti11xuWg8BKb9g/xnYnw1C7Vk45t +XIsSH5KAB45Z4Llfmd7y4vn9NxWNaLSHyGeSnzJC8w8LvnKC534B9W2734D5USgT +3eSdyQZuBjFwWKQ6G7CpGWmtvKBMO8CpcdfMsjK3GPgFHgqjXGiUKgg6CCTm7rgD +nR2Y5rNXUJKNG00OYVy2Fb/t/s+YB7cdUagE2324QJNu+jj3OL4rQ0coJGQp/Egd +8kcUtG8v0QktlnGmEdtORR4xRM4OQdewJa2n4vjk6suWrGELfc780S38XltMaeut +CkRU2ElJXwqCj6MkV1zIeZcRM5fOZTeotA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/certs/server.key b/certs/server.key new file mode 100644 index 0000000000..349e7e565b --- /dev/null +++ b/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8OBaG9oUfxzeH +DVv0KD6b0pOOVKan9nv9FP5YaFYlItOI8sjG2Iou4pda3Z+rPD7oG5KU3vkAGRBU +Z6U2WQPoxTw2MKYIDbT29dulizqVUsbGDvySXlC23R2SZgjSBHfYgY142fWHyPA1 +nTBSIPzofEbpM4NG0N1hyvMSx8OALQEZ25vUTzfxig4V4zgk6dvflRvVQOi++p2Y +zoWMkmArJXYnnv5HhaOR0Mux9H4AGh18IMbI4AltuMAk6sKNVZNaUtTKrNiLAK+5 +m9jTl1Xqlh/rq5iZh2tugCNwlkJMRsJIfsSLtO+0RNaXdskgDhiixSVmFrCPmaRz +1HYmlxBlAgMBAAECggEACM2ofu87+57zVBEKm5ApLFvA5HoOiyjkC29NOQdZamr1 +A1fGjtnOO6AEGSF6ioDKuQJ7bIJELBCSVD4HpAqthWqehMUyl/fWcNl2tmR42EbV +TGFaNXSothTbgV9LgghWChkRtQcyepXOsLD8c3QViVLDUAXXx5reJsReTdnaXAcF +ltgQwTCaPwyG1oe/66o/71zrRo/fsjzxY4IK4D9mdDABc1/sBU1kFKbW+ld37qHC +st9q+WJquniAdjCbII4YnhfUXfLbVqfDRU5N6s5u9lfetb6Uuc10BeGO4oxLtOUA +twseUmABdgHaleZoI8H5s2ormtjyecFkeCBka65bFQKBgQD3nM8ROEVQvuGkloFv +tSVXvBG9MRpu5dSRH/hiaDCh4YI4sHzt0F1PXHQuZ2Gvcub5KCggimG1xQ30X80l +rq2wOLZMogmcogdTxL2PZPJpUrYaq9QhFOgNmhItsr7AszCsZ4NbmDtNlr2ZRzBY +l8S3Ku87+qcH2CjSpaoqN5kSvwKBgQDCmD6NoWzqoJVtekxOOux1TiRuLsYvOTK6 +ARMSYQDReJhIMfmDoIXuH+ejvh9FBDMjXk466zs01sXG+cXSsz6kj+YI/pk5U3XT +8HEQtCjpF6HwngwRAxYd5nrmi3RpSnlxOrpSEwE9rjL+e4Nd91dZZ/RYgZfmDdGt +38A7xei52wKBgQCE4ieSIzO30KjBrm/KZlmjCvAuK0L3TupT8+dV0HqA9cfv6m8x +JUheRcyn9p1LDgv8nNtkEz+60ATcJ+mtll/qGZVj7PXhlGcAQq5EXTVm5peKGrre +Ah1C53NoCOwr+D5f17F8H2d8DTC1KKo+cTyF3EnFU4/+Org1y+hVfb7tewKBgBRm +z9Abh4bF1UTIGK3vAZF+4tTmdILI9WeI6032+5X6lcSj8Kv7LW98ytVg/nhG63Ge +1obY2Lk+dzfYQgRIJJ4uNAjnYHshI+5XfBMrQErH3oOSnmM+Nphl7Ka1IjxTwY28 +gYJPWcb0t4X0vx4f63mFK5oH5DwLYNtg5Q+fPToXAoGBAJBd0uYfkqAONG/qQfl7 +FsqacjX2QT5LTV47TrPm/5Bswe8TKVjHrXzjqHl/9lin5YwMA+E9xRfIQgm32MTJ +lS1FuAw1/810Bb0mKPyj56capozfGOOlpP4m3aekNH3cbrkp1wemUe7/1YLGeUvh +WREq3xdnmdockLlGwSEP44Zy +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/client-cert/cert.pem b/client-cert/cert.pem new file mode 100644 index 0000000000..e7b50974b0 --- /dev/null +++ b/client-cert/cert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEnDCCA4SgAwIBAgIUS5lVY5ilccwNiiK/UPaA1q85YqAwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEChMJY2xpZW50LWNhMB4XDTI1MDYyNzE2NTcwMVoXDTI2MDYy +NzIyNTcwMVowGDEWMBQGA1UEAxMNbXktY2xpZW50LmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOlDpYHyBgfI3iYxITxI/AL9Wv/QyoegdVEQGLCv +V2yNP4Vs3Q6MF6SpiPgxgj3uWDm6frqreDi0J48wmnW24Hvhc1G9Gih44e+xb808 +we9dB+cgK4Tk5QWNvSi6GEsoyDqZE51GVuu58gvrKT3ZAEeD/F8gcdWFDXnxRbA+ +6Nbx9i0vA4VBVoD/N0kAmvuMK+l0kq1qSSaG+t5GIR2k7rqNLUK9imGnRqycTMed +2Gqz2cmUSQavUzzhNZchNqaP5N0cIBw3DDLnUrYdwt7hs0xOHYg6nsRGnW05Ql1b +AQfdLcktthAzQKHVhsZgfH7oIM8JVn0JITUWFigtccbWFW8CAwEAAaOCAeAwggHc +MAkGA1UdEwQCMAAwYgYDVR0fBFswWTBXoFWgU4ZRaHR0cHM6Ly9hcHAuaW5maXNp +Y2FsLmNvbS9hcGkvdjEvcGtpL2NybC8wYWI1ZTY3OC1mM2E2LTRmZmUtODFmMy02 +NGFjYTU5OWE1NzgvZGVyMB8GA1UdIwQYMBaAFHm6PIGGRDT1ovFvl+uoeiRKNmwi +MB0GA1UdDgQWBBSKQFs8zUvZV5c1EVOxgikDjLB1HjCBogYIKwYBBQUHAQEEgZUw +gZIwgY8GCCsGAQUFBzAChoGCaHR0cHM6Ly9hcHAuaW5maXNpY2FsLmNvbS9hcGkv +djEvcGtpL2NhLzAzNDU3NzdhLTM1MTQtNGNjNi1hZDZkLWUwNGQ3MDNiMzlkYi9j +ZXJ0aWZpY2F0ZXMvNTVmNTY3YjMtN2IxZi00NDRlLWFjODEtNThlYmY5YjBjOGEx +L2RlcjARBgNVHSAECjAIMAYGBFUdIAAwDwYDVR0PAQH/BAUDAwf/gDBIBgNVHSUB +Af8EPjA8BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCQYI +KwYBBQUHAwEGCCsGAQUFBwMIMBgGA1UdEQQRMA+CDW15LWNsaWVudC5jb20wDQYJ +KoZIhvcNAQELBQADggEBAAktLnY93gBhNvBuDM2gI5JS3NK+GV75lF665K2flJB9 +SMM2Bw64nrQveMeNpYEX8FOgQlGKKPVUEAxYAWbp5IHyjfpCSYJDsTk2DkyjgAmi +RxIPCR4UMVKszmzhU+yiSALdLxGhdNWG/1wTjhQ7JCnyXW/DI8xueraEGgtKEUGa +PSdgXzrqcsj/MhOAeGF3a0CrfhpTLsnU0nYcAj0c6BWDk0OCZaGVf3Qz+mKLPn37 +hpOb+9TzKQSEUCrRhiPGJXqQZyFr6BeiwHip6MY2/diAr9i+fqYw3o9lcHXr83RY +tOk8ooBMAtGjLtRF2ze1yJXdC2fJJXRmEPsrPSfndeU= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/client-cert/chain.pem b/client-cert/chain.pem new file mode 100644 index 0000000000..2346dc76d7 --- /dev/null +++ b/client-cert/chain.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+DCCAeCgAwIBAgIUWd+4Vphs3TCLo8yTsPIWkvwM8C4wDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEChMJY2xpZW50LWNhMB4XDTI1MDYyNzE2NTYyMFoXDTM1MDYy +ODAwMDAwMFowFDESMBAGA1UEChMJY2xpZW50LWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAwipE/aDty9zB/yRAiavsEFAMiDpJqaK0r3foVJN80vyV +5M0KX/0FlWdCZZ3X/uWL2Hmo342cJuqwy/F+u3fuMlwq/857SF+hoLH21Rb7KvJb +1P8zAVfY7mtQgWgdFJSUWlCym2nEhuc08hMPgI7bJgYAEuZoHVBL7p8/unm4Uu+D +HQHCS+kDdszU+3CZ/OVX730PMunnel5CqUnzlQuJ1ytjPiTCVxRfvxZk5bF7g77Z +mYxAuBwuO9LSIxqW5zw/DIwYwON+jl6uJ7D49FIP4BpFxybraHYOJuPB1XDBLQFB +U15ZtoyrpMBPXTQ1CmlmAAceAyeqL9G56MtPF89r4wIDAQABo0IwQDAPBgNVHRMB +Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUebo8gYZENPWi8W+X +66h6JEo2bCIwDQYJKoZIhvcNAQELBQADggEBALU27Uym4eryVwvcs9cbnPyw4v0C +oWpwgyQrC0NMw+Gm0IVhEJxzp53DQLQ74r04gSHNfaCTlMv3lypF1bligZjrRFA5 +sGEWqZ9jMTgkNRZPUMjgzfPgDOaRQEnUeLUksTX81h04fu5XNYll12Q/91fSEJcT +BbuXE0fvxYgou5HsbXR7BTK4CFFJj9dI4c59nTrGg4DlCtbA6UlbxNNM3YePdb5A +tlyY8tXJYXS3bulbW4/uJuqhZAv8WGgQ9bCh4OdcHQ2hI6IB3P2tPGh5bjDICdbP +10FBSwOuMxpiQuAKljMnfOsSzn09j4GgNBc0Ek1OlTIr26ybXvXxw1V532s= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/client-cert/exec.sh b/client-cert/exec.sh new file mode 100644 index 0000000000..0c32765a67 --- /dev/null +++ b/client-cert/exec.sh @@ -0,0 +1,8 @@ +curl \ + --request POST \ + --insecure \ + --cert cert.pem \ + --key key.pem \ + -d '{"identityId": "a87a7a3b-345c-46b2-a95a-54a608e0538b"}' \ + -H "Content-Type: application/json" \ + https://localhost:8443/api/v1/auth/tls-cert-auth/login \ No newline at end of file diff --git a/client-cert/key.pem b/client-cert/key.pem new file mode 100644 index 0000000000..8411a01f10 --- /dev/null +++ b/client-cert/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDpQ6WB8gYHyN4m +MSE8SPwC/Vr/0MqHoHVREBiwr1dsjT+FbN0OjBekqYj4MYI97lg5un66q3g4tCeP +MJp1tuB74XNRvRooeOHvsW/NPMHvXQfnICuE5OUFjb0ouhhLKMg6mROdRlbrufIL +6yk92QBHg/xfIHHVhQ158UWwPujW8fYtLwOFQVaA/zdJAJr7jCvpdJKtakkmhvre +RiEdpO66jS1CvYphp0asnEzHndhqs9nJlEkGr1M84TWXITamj+TdHCAcNwwy51K2 +HcLe4bNMTh2IOp7ERp1tOUJdWwEH3S3JLbYQM0Ch1YbGYHx+6CDPCVZ9CSE1FhYo +LXHG1hVvAgMBAAECggEAAR6xOUeeeNznGGncy3Ny2RjKl2mGJN8p+2lgoFY3B13I +cnkKfnn9nkLkz1GjosLQkxOAE6TX9nyJZB6N9Zos261dMk8vxGkmsB4zHLq1LrQS +Zo/wgwWfLmwBDmNTCUnUnby84Js4uz2+5yhBKQWQpIGj/ApM/EZ4YvGjQMJs+z2B +rNeeAozNCIe8iUGTnPj+etklJuNqEU2yurRxHfdLFz9NIqWdHCm/T3gpdNtMwNSk +l85kNzUMzWsKY0B3LT28jEq4JFoPQcRsh2tB7lcO/raoL0GQfilTHDy9NwPj61Jd +Xo9uiTHGOL9KucMFYkKcaFL6YdPXEH8OrqK59Cdx9QKBgQD9o03JLVzYhg+xo99X +RZYG1L+tqA8U5IK5nLtTCjMHn6qpOW4NdjVhlpn6P/Fv7CPHFNXIiFfTA7jBciHR +PRJB8EIL8rgGcQUys4uOeVWFH4O6bRslczuxeIaXetikE9JnsQUoSRRKGzTtbM4K +i3mNRLvI4kKDlLNZ6WpNVGsjwwKBgQDrb8UdJSM7Cxat3lWtsSvBIg7txbYCaBOZ ++j00pYVpgmG8qxzMX3XHD/jgSS38O593NX7Xv+wjFOweJb6/3t3PEP2calYyEdJE +n2O1EflDG5+j8hiiRV1yrMzV1fgr0gRYRdrS+BQngvZNQOJP2XiyI8dxlenA/P16 +pB53lYsI5QKBgHZXZYnCIpncIyJtJV3g19kkFrL9wNusqtnTqQtbrOeXtdbzNsgN +KWb5D6rVft8LvL28mOrRwrhv+ho4GFM6PXSKlyZf/0DyJsy7PRgiwKY2SA4JrirR +Ez8AzzuKU95qaTd8Pr3HKzJQc2d75r7AyNwC/+MAvqwKC4yd/b1K8BplAoGBAKER +4mTCF4w5Vda1mSAvaaPDzTrWXGLhGSfqjx0JcHByhrMwzY70b/sz7ixjZFZ/4+UG +cDTiVIbbtX4ajJlvu4gCM79i8H1ou9W+xdQG6+UBbQIYisnZcskVdz2EGTjBgb9y +avaSSheN/Tt0/F9shKo62CPZUAZ8Dl5tEXr2kBwRAn8f9TVPVlwOnJJibgRv8uqc +T7qewRNZ7+zgyPvp8jyNmue+f7UPiisKSws6znRBse6kknElfn2lsYe/mr0Dokfw +YtjLzo3M04IjkqZlwDNR5VPtsCqhDeSi1OhfsDUYzZIGNtg6kMASLOxUthR5IQ/V +kgQRIedGzc8Dz8CBnFIo +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 590e177634..f789791ca8 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -4,12 +4,13 @@ services: nginx: container_name: infisical-dev-nginx image: nginx - restart: always + restart: "no" ports: - 8080:80 - 8443:443 volumes: - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro + - ./certs:/etc/ssl/certs depends_on: - backend - frontend diff --git a/nginx/default.dev.conf b/nginx/default.dev.conf index 2dd32049b1..c1e38f24c6 100644 --- a/nginx/default.dev.conf +++ b/nginx/default.dev.conf @@ -80,3 +80,122 @@ server { proxy_redirect off; } } + +server { + listen 443 ssl; + + large_client_header_buffers 8 128k; + client_header_buffer_size 128k; + + # SSL Configuration + ssl_certificate /etc/ssl/certs/server.crt; + ssl_certificate_key /etc/ssl/certs/server.key; + + # Client Certificate Configuration - Request cert but let API handle validation + ssl_verify_client optional_no_ca; # Request client cert but don't enforce validation at nginx level + + location ~ ^/(api|secret-scanning/webhooks) { + proxy_set_header X-Real-RIP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + # Forward client certificate information + proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn; + + proxy_pass http://backend:4000; + proxy_redirect off; + + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + } + + location /runtime-ui-env.js { + proxy_set_header X-Real-RIP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + # Forward client certificate information + proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn; + + proxy_pass http://backend:4000; + proxy_redirect off; + + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + } + + location /api/v3/migrate { + client_max_body_size 25M; + + proxy_set_header X-Real-RIP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + # Forward client certificate information + proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn; + + proxy_pass http://backend:4000; + proxy_redirect off; + + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + } + + location /.well-known/est { + proxy_set_header X-Real-RIP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + # Forward client certificate information + proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn; + + proxy_pass http://backend:4000; + proxy_redirect off; + + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + } + + location / { + include /etc/nginx/mime.types; + + proxy_set_header X-Real-RIP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Forward client certificate information + proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn; + + proxy_pass http://frontend:3000; + proxy_redirect off; + } +}