I have my webapp with Nginx reverse proxy in front acting as LB. The hosted webapp has two components. UI and API. UI is normally accessible, but API needs client certificates for authentication. Both are on the same hostname as they are part of single webapp. Also, client uses same hostname mywebApp.com for UI and API.
I have headers userid and password which will distinguish the API request from other requests.Basically, if valid and matching headers are present in the request, attach proxy_ssl_certificateproxy_ssl_certificate_keyproxy_ssl_trusted_certificate to the request, otherwise not.
My idea is to internally route this, request to a new hostname/server_name.
Here is my nginx configuration.
upstream my-webapp { hash $remote_addr; server my-app-1:8443; server my-app-2:8443; server my-app-3:8443;}map $http_userid $valid_user { default 0; validUsername 1;}map $http_password $valid_pass { default 0; validPassword 1;}map $valid_user$valid_pass $new_host { default "mywebApp.com"; 11 "api.mywebApp.com";}server { listen 80; return 301 https://$host_new$request_uri;}server { listen 443 ssl; server_name mywebApp.com; #...setting proxy headers location / { proxy_pass https://my-webapp/; }}server { listen 443 ssl; server_name api.mywebApp.com; #...setting proxy headers #...Additionally attach below certs proxy_ssl_certificate /etc/nginx/certs/api-cert.pem; proxy_ssl_certificate_key /etc/nginx/certs/api-key.key; proxy_ssl_trusted_certificate /etc/nginx/certs/ca-cert.pem; location / { proxy_pass https://my-webapp/; }}This configuration behaves wierdly, sometime UI requests get the certificates attached or sometimes API request goes without attaching certificates.
If there is another way to achieve it, without multiple sever blocks, please help.