Last active
August 22, 2023 11:18
-
-
Save schtobia/302cd39c0332240163f6 to your computer and use it in GitHub Desktop.
CN-based client authentification with nginx. This emulates Apache's SSLRequire (%{SSL_CLIENT_S_DN_CN} in {"Really Me"})
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $ssl_client_s_dn $ssl_client_s_dn_cn { | |
default ""; | |
~/CN=(?<CN>[^/]+) $CN; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
server_name foo.bar.com; | |
if ($scheme = http) { | |
return 301 https://$server_name$request_uri; | |
} | |
ssl_certificate /etc/ssl/$server_name; | |
ssl_certificate_key /some/where/private; | |
ssl_client_certificate /the/root/of/all/client/cas.pem | |
ssl_verify_depth 3; | |
ssl_verify_client optional; | |
location ~ ^/safe { | |
if ($ssl_client_verify != SUCCESS) { | |
return 401; | |
} | |
if ($ssl_client_s_dn_cn !~ "Really Me") { | |
return 401; | |
} | |
} | |
} |
hi @schtobia ,
Thank you for the quick response.
I managed to fix it. Posting solution here just in case it could aid someone.
In my configurations missing bit was ssl_verify_client optional; until we specify I learnt that unless we mention ssl_verify_client on or optional, the $ssl_client_s_dn variable is not set. It will keep printing blank.
A bit strange that nginx logs didn't say it, I had to figure it out by trial and error.
Hindsight it makes sense that without enabling client verification, what server will do with the client client subject DN.
Regards,
Arpan
Thanks for the follow-up!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @schtobia ,
Awesome example.
I am trying similar thing but I get the value of $ssl_client_s_dn as blank in nginx when I connect to nginx via curl ( I am passing valid key and the cert as well as capath) Do you know where I might be going wrong?
I have added a question in more details here : https://serverfault.com/questions/1093641/rejecting-connections-based-on-a-pattern-in-nginx
Thanks,
Arpan