Yeah, as jggimi pointed out, you would use client-side certificates (as a hard requirement, not a soft requirement) in nginx such that traffic couldn't hit the actual backend webserver until the client presented a valid signed certificate (which you could sign if you ran your own internal CA).
But like you said, distribution of the client-side certs would be a headache.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
|