6

CN-based client authentification with nginx. This emulates Apache's SSLRequire (...

 1 year ago
source link: https://gist.github.com/schtobia/302cd39c0332240163f6
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

CN-based client authentification with nginx. This emulates Apache's SSLRequire (%{SSL_CLIENT_S_DN_CN} in {"Really Me"}) · GitHub

Instantly share code, notes, and snippets.

CN-based client authentification with nginx. This emulates Apache's SSLRequire (%{SSL_CLIENT_S_DN_CN} in {"Really Me"})

@schtobia: Thanks for the gist. Have you considered this https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/, which basically concerns using "if" in "location" ? It does surprise me how this common CN-based client access control scenario is not so straight-forward in nginx...

Update: Even "if" directive is troublesome as mentioned in the doc, they also said it would be ok if using with only "return" or "rewrite...". So the gist is still ok.

Thanks for the gist again.

Author

Thanks for the comment. +1 I know that if is considered evil, but at that time there was no other solution. Maybe there is now, but as this is a very exotic case for nginx, I doubt that. Hope you found it helpful!

Since nginx release 1.11.6, the formatting of $ssl_client_s_dn has changed to use commas instead of slashes.

In this case, the following line should work:

~(^|,)CN=(?<CN>[^,]+) $CN;

(Note the two cases that CN= could occur either at the beginning of the line or following a , character.)

Hi @schtobia ,

Awesome example.
I am trying similar thing but I get the value of $ssl_client_s_dn as blank in nginx when I connect to nginx via curl ( I am passing valid key and the cert as well as capath) Do you know where I might be going wrong?
I have added a question in more details here : https://serverfault.com/questions/1093641/rejecting-connections-based-on-a-pattern-in-nginx

Thanks,
Arpan

Author

Hi @arpan57,

I'm sorry, i didn't look into nginx for quite some time - I move my entire frontend to traefik.

hi @schtobia ,
Thank you for the quick response.

I managed to fix it. Posting solution here just in case it could aid someone.

In my configurations missing bit was ssl_verify_client optional; until we specify I learnt that unless we mention ssl_verify_client on or optional, the $ssl_client_s_dn variable is not set. It will keep printing blank.
A bit strange that nginx logs didn't say it, I had to figure it out by trial and error.
Hindsight it makes sense that without enabling client verification, what server will do with the client client subject DN.

Regards,
Arpan

Author

Thanks for the follow-up!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK