SSL Terminator

The service is designed to work with a SSL Terminator / SSL Offloader as a frontend, in other words, all connections SHALL be verified with a HTTP SSL Server (Hardware terminators, Apache, NGINX, ...)

These servers will verify client and pass the SSL verification result to the Wakeup servers with these HTTP extended HEADERS:

NGINX example setup

If you decide to use NGINX as a software terminator , you can use this configuration file as a template.

Into the utils/test_ca folder of main wakeup_platform project (wakeup_platform) you will locate this sample configuration that can be used as a simple reference:

# See http://wiki.nginx.org/HttpSslModule
# and http://wiki.nginx.org/HttpProxyModule

server {
    listen        443;
    ssl on;
    server_name example.com;

    ssl_certificate /TEST_CERTIFICATES/server.crt;
    ssl_certificate_key /TEST_CERTIFICATES/server.key;
    ssl_client_certificate /TEST_CERTIFICATES/ca.crt;
    ssl_verify_client on;

    location /global/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      proxy_set_header X-Client-Cert-DN $ssl_client_s_dn;
      proxy_set_header X-Client-Cert-Verified $ssl_client_verify;

      proxy_pass http://localhost:8000/;
      proxy_redirect off;
    }

    location /local/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      proxy_set_header X-Client-Cert-DN $ssl_client_s_dn;
      proxy_set_header X-Client-Cert-Verified $ssl_client_verify;

      proxy_pass http://localhost:9000/;
      proxy_redirect off;
    }

}