From ef7be11c6b38b88f2f56ba3f729865c4d9ba42db Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Date: Tue, 7 Feb 2017 15:25:02 -0200
Subject: [PATCH] Corrects the location of proxy_set_header for client
 certificate

---
 controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 5b3aefa0d..5b6706eb0 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -226,8 +226,6 @@ http {
         ssl_client_certificate              {{ $location.CertificateAuth.CAFileName }};
         ssl_verify_client on;
         ssl_verify_depth 10;
-        proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
-
         {{ end }}
 
         {{ if not (empty $authPath) }}
@@ -294,6 +292,11 @@ http {
 
             proxy_set_header Host                   $host;
 
+            # Pass the extracted client certificate to the backend
+            {{ if not (empty $location.CertificateAuth.CAFileName) }}
+            proxy_set_header ssl-client-cert        $ssl_client_cert;
+            {{ end }}
+
             # Pass Real IP
             proxy_set_header X-Real-IP              $remote_addr;