Need to compare client certificate CN with an entry in /etc/hosts
Radha Venkatesh (radvenka)
radvenka at cisco.com
Wed Nov 27 00:01:16 UTC 2013
I found the below snippet which could provide me the cn from the certificate. What would be the easiest way to compare this with an entry in /etc/hosts? Do we need an external module to do this?
The "map" directive with regex can be used instead of "if",
something like this:
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
};
-----Original Message-----
From: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] On Behalf Of Francis Daly
Sent: Tuesday, November 26, 2013 3:16 PM
To: nginx at nginx.org
Subject: Re: Need to compare client certificate CN with an entry in /etc/hosts
On Tue, Nov 26, 2013 at 07:19:55PM +0000, Radha Venkatesh (radvenka) wrote:
Hi there,
> An additional requirement is that we have to match the client certificate
> CN with an existing entry in /etc/hosts. What would be the simplest
> mechanism to do this? HttpPerlModule? Uwsgi?
In nginx terms, you have $remote_addr as the client IP address, and you
have the variables described in
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
as "things from the certificate".
I don't see CN listed there, so I suspect that whatever you do is going
to involve some extra parsing of the certificate, which probably means
something external or dynamic within nginx.conf.
The "simplest" mechanism is probably whichever one you are most familiar
with already.
Whether you use an embedded language or something external, you can make
sure to send the appropriate raw information to it, and let it decide
whether this is good or not.
You may be interested in trying http://nginx.org/r/auth_request as one
possibly way of communicating the success or failure state of your check
back to nginx, but it all depends on the extra code that you must write.
Good luck with it,
f
--
Francis Daly francis at daoine.org
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list