From 8e6db4850300c5176bf62cd8b570833015a93d25 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 20 May 2019 23:45:09 +0300
Subject: [PATCH] require client certificate for incoming connections on
 backend servers

---
 roles/nginx/server/templates/nginx.conf.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index 8944b51..7dbdb3e 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -31,6 +31,9 @@ http {
         ssl_trusted_certificate /etc/pki/tls/certs/ca.crt;
         ssl_certificate_key /etc/pki/tls/private/{{ inventory_hostname }}.key;
 
+        ssl_client_certificate /etc/pki/tls/certs/ca.crt;
+        ssl_verify_client on;
+
         root /srv/web/{{ inventory_hostname }};
 
         include /etc/nginx/conf.d/{{ inventory_hostname }}/*.conf;