Last active
August 22, 2023 11:18
-
-
Save schtobia/302cd39c0332240163f6 to your computer and use it in GitHub Desktop.
CN-based client authentification with nginx. This emulates Apache's SSLRequire (%{SSL_CLIENT_S_DN_CN} in {"Really Me"})
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $ssl_client_s_dn $ssl_client_s_dn_cn { | |
default ""; | |
~/CN=(?<CN>[^/]+) $CN; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
server_name foo.bar.com; | |
if ($scheme = http) { | |
return 301 https://$server_name$request_uri; | |
} | |
ssl_certificate /etc/ssl/$server_name; | |
ssl_certificate_key /some/where/private; | |
ssl_client_certificate /the/root/of/all/client/cas.pem | |
ssl_verify_depth 3; | |
ssl_verify_client optional; | |
location ~ ^/safe { | |
if ($ssl_client_verify != SUCCESS) { | |
return 401; | |
} | |
if ($ssl_client_s_dn_cn !~ "Really Me") { | |
return 401; | |
} | |
} | |
} |
hi @schtobia ,
Thank you for the quick response.
I managed to fix it. Posting solution here just in case it could aid someone.
In my configurations missing bit was ssl_verify_client optional; until we specify I learnt that unless we mention ssl_verify_client on or optional, the $ssl_client_s_dn variable is not set. It will keep printing blank.
A bit strange that nginx logs didn't say it, I had to figure it out by trial and error.
Hindsight it makes sense that without enabling client verification, what server will do with the client client subject DN.
Regards,
Arpan
Thanks for the follow-up!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @arpan57,
I'm sorry, i didn't look into nginx for quite some time - I move my entire frontend to traefik.