Skip to content

Instantly share code, notes, and snippets.

@Anakin-Hao
Last active January 8, 2019 02:19
Show Gist options
  • Save Anakin-Hao/eb09f9ea2a028a4a2e5c140bc81f8c71 to your computer and use it in GitHub Desktop.
Save Anakin-Hao/eb09f9ea2a028a4a2e5c140bc81f8c71 to your computer and use it in GitHub Desktop.
NGINX Extract DN from pem cert
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~CN=(?<CN>[^\/,]+) $CN;
}
map $ssl_client_s_dn $ssl_client_s_dn_o {
default "";
~O=(?<O>[^\/,]+) $O;
}
Exmaple:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /root/ssl/private/nginx-selfsigned.crt;
ssl_certificate_key /root/ssl/private/nginx-selfsigned.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#setting for mutual ssl with client
ssl_client_certificate /root/ssl/private/client.crt;
ssl_verify_client optional_no_ca;
ssl_verify_depth 2;
location / {
default_type text/plain;
if ($request_uri ~* "(?:\/)(?<realm_id>([^\/]+))(?:\/*.*)" ) {
set $realm_id $1;
}
if ($realm_id != $ssl_client_s_dn_o) {
return 401 "Provided cert can't access $realm_id";
}
}
location ~* (?:\/)(?<realm_id>([^\/]+))(?:\/*.*) {
default_type text/plain;
if ($realm_id != $ssl_client_s_dn_o) {
return 401 "Provided cert can't access $realm_id";
}
}
location = /cn {
return 200 $ssl_client_s_dn_cn;
# return 200 "nothing";
default_type text/plain;
}
location = /o {
return 200 $ssl_client_s_dn_o;
# return 200 "nothing";
default_type text/plain;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment