Is Ingress-Nginx able to send unescape header to the backend?

Hi folks,

I'm using Nginx as my Ingress Controller in a Kubernetes deployment where WSO2 Identity Server 5.11 is at the backend.
I have a requirement of authenticating clients against the backend using a X509 certificate.
Also, I have to TLS terminate at Nginx.
I managed to put the corresponding certificate from the handshaking to a header in order to pass the request to the backend like WSO2 Identity Server is expecting.
The issue I'm facing is WSO2 Identity server requires the content of the header to be a standard PEM format, which means not escaped/encoded, just standard Base64 and Nginx send the header escaped (see below for a sample).
I tried using a lua block which effectively unescape the original value to the format I would like to send to the backend, but when the header is received at the backend it's always escaped.

Is there any way to send the content of a header unescaped?

Please help, any comments will be greatly appreciated.

Sample of the escaped certificate received by WSO2 Identity server:

`-----BEGIN CERTIFICATE-----%0AMIIEDjCCAvagAwIBAgIUCG/WzR4Z p1qGX9 lNVU f0K8P4wDQYJKoZIhvcNAQEL%0ABQAwgZYxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1v%0AbnRyZWFsMRAwDgYDVQQKDAdDaGFrcmF5MQswCQYDVQQLDAJJVDEYMBYGA1UEAwwP%0ASmFpcm8gRmVybmFuZGV6MSowKAYJKoZIhvcNAQkBFhtqYWlyby5mZXJuYW5kZXpA%0AY2hha3JheS5jb20wHhcNMjExMTMwMjEzNTIyWhcNMjIxMTMwMjEzNTIyWjCBmjEL%0AMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwx%0AEDAOBgNVBAoMB0NoYWtyYXkxCzAJBgNVBAsMAklUMRwwGgYDVQQDDBNjbGllbnRz%0ALmNoYWtyYXkuY29tMSowKAYJKoZIhvcNAQkBFhtqYWlyby5mZXJuYW5kZXpAY2hh%0Aa3JheS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC nYoRD/83%0AW9OYGMyp2wGhoMPcra2rPgHZf5irCupAIY/49gg1dsz/i7UMj2pK0IzW/dsGTdfl%0AGKuM4avKSqyAjlRvOhxk0A5Z/fmghjOiTWtBdp7jQ4zJcM9ip3 W4nRPi8Asv/A %0AeJyHcCCMppv0XguQKEhwusOyQHCNn7iQ0itT1kPfOAACpi0ZrcN777VlVZRu2LsW%0AdJfYUI1 e7u2OygCdL0B3HGbOZixoOJWEyoi1 0jiIxQmnv2ExDsabjbbdllus8 %0AJDdMUtswo xzGAe0IvGhHiFSOgNTSafLrHpYwCpG3/ikKQ SeULDF9yQ7F09bjpk%0AcyY7GgvaFUZ3AgMBAAGjTjBMMB8GA1UdIwQYMBaAFA1dKwqVgKPAg/2ciw6MyKGZ%0AsBg8MAkGA1UdEwQCMAAwHgYDVR0RBBcwFYITY2xpZW50cy5jaGFrcmF5LmNvbTAN%0ABgkqhkiG9w0BAQsFAAOCAQEAutYrzNJs92xXsJh kX7jvK9LZmP5F nsnSOLrM65%0Aa3jv4fkFalFTqx 82ie6ouekaTd9o4JF2jFkmj6B18AteuiM0xesO1ROdp pobZQ%0AfbGT8czViCQjtjiv1OC35unR2AkB9G22jD4OKaAh47T090QHCYGLpLloZrTGISbH%0ArNDGXeZjkTWhymuA1sSRUVIIytHqSzQmNOXC1RHK/ORcy mujOK7zKuLM6jaCgO%0A3FGQ1gh9FF2ooDN8GH9tqo5lzxfKtqd2z4HZ1yQ5QGWTDkHFeOJu6iSzLnO3Nayx%0A6a2 ud8QeN1nZKoMWDy4/BsRilE6Ap/ijQF82g BI/FyUw==%0A-----END CERTIFICATE-----%0A`

What I really need to send to the backend:
`-----BEGIN CERTIFICATE-----`
`MIIEDjCCAvagAwIBAgIUCG/WzR4Z p1qGX9 lNVU f0K8P4wDQYJKoZIhvcNAQEL`
`BQAwgZYxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1v`
`bnRyZWFsMRAwDgYDVQQKDAdDaGFrcmF5MQswCQYDVQQLDAJJVDEYMBYGA1UEAwwP`
`SmFpcm8gRmVybmFuZGV6MSowKAYJKoZIhvcNAQkBFhtqYWlyby5mZXJuYW5kZXpA`
`Y2hha3JheS5jb20wHhcNMjExMTMwMjEzNTIyWhcNMjIxMTMwMjEzNTIyWjCBmjEL`
`MAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9udHJlYWwx`
`EDAOBgNVBAoMB0NoYWtyYXkxCzAJBgNVBAsMAklUMRwwGgYDVQQDDBNjbGllbnRz`
`LmNoYWtyYXkuY29tMSowKAYJKoZIhvcNAQkBFhtqYWlyby5mZXJuYW5kZXpAY2hh`
`a3JheS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC nYoRD/83`
`W9OYGMyp2wGhoMPcra2rPgHZf5irCupAIY/49gg1dsz/i7UMj2pK0IzW/dsGTdfl`
`GKuM4avKSqyAjlRvOhxk0A5Z/fmghjOiTWtBdp7jQ4zJcM9ip3 W4nRPi8Asv/A`
`eJyHcCCMppv0XguQKEhwusOyQHCNn7iQ0itT1kPfOAACpi0ZrcN777VlVZRu2LsW`
`dJfYUI1 e7u2OygCdL0B3HGbOZixoOJWEyoi1 0jiIxQmnv2ExDsabjbbdllus8`
`JDdMUtswo xzGAe0IvGhHiFSOgNTSafLrHpYwCpG3/ikKQ SeULDF9yQ7F09bjpk`
`cyY7GgvaFUZ3AgMBAAGjTjBMMB8GA1UdIwQYMBaAFA1dKwqVgKPAg/2ciw6MyKGZ`
`sBg8MAkGA1UdEwQCMAAwHgYDVR0RBBcwFYITY2xpZW50cy5jaGFrcmF5LmNvbTAN`
`BgkqhkiG9w0BAQsFAAOCAQEAutYrzNJs92xXsJh kX7jvK9LZmP5F nsnSOLrM65`
`a3jv4fkFalFTqx 82ie6ouekaTd9o4JF2jFkmj6B18AteuiM0xesO1ROdp pobZQ`
`fbGT8czViCQjtjiv1OC35unR2AkB9G22jD4OKaAh47T090QHCYGLpLloZrTGISbH`
`rNDGXeZjkTWhymuA1sSRUVIIytHqSzQmNOXC1RHK/ORcy mujOK7zKuLM6jaCgO`
`3FGQ1gh9FF2ooDN8GH9tqo5lzxfKtqd2z4HZ1yQ5QGWTDkHFeOJu6iSzLnO3Nayx`
`6a2 ud8QeN1nZKoMWDy4/BsRilE6Ap/ijQF82g BI/FyUw==`
`-----END CERTIFICATE-----`

1 thought on “Is Ingress-Nginx able to send unescape header to the backend?”

  1. Why are you sending the certificate to the backend if you want to terminate TLS at the ingress controller? That makes zero sense. Just terminate and pass unencrypted traffic to the backend. Use a service mesh with mTLS if you need e2e encryption in transit.

    Reply

Leave a Comment