Clientcertificate authentication only for a single URL

Gbg garbage at gmx.de
Mon Feb 19 15:51:00 UTC 2018


I think this will set the headers only for the login URL but still ask for the certificate on all URLs. And this is not what I need, I only want to have to present a certificate for a single URL


Am 19. Februar 2018 16:35:59 MEZ schrieb Jason Whittington <Jason.Whittington at equifax.com>:
>I would think "location=" would solve this.  What about something like
>the following?
>
>    server {
>        listen 443 ssl http2;
>        server_name localhost;
>
>        ssl_certificate ...
>        ssl_certificate_key ...
>        ssl_session_cache       shared:SSL:1m;
>        include templates/ssl_setup.conf;
>
>        location = /login {
>            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
>            proxy_set_header X-SSL-Client-...
>
>            proxy_pass http://localhost:8080;
>        }
>
>        location  / {
>            root /var/www/...;
>        }
>    }
>
>Jason
>
>
>-----Original Message-----
>From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Gbg
>Sent: Monday, February 19, 2018 9:12 AM
>To: nginx at nginx.org
>Subject: [IE] Clientcertificate authentication only for a single URL
>
>
>
>I need to secure only a single URL on my server by demanding or
>enforcing client certificate based authentication. My application is
>called by opening "myapp.local" and if necessary it logs in a user by
>issuing a call to "myapp.local/login". I can not create a second
>hostname to do the login, so specifying a second `server` with
>`server_name myapplogin.local` does not work.
>Because the login is not necessary all the time I do not want to
>encorce ssl_verify for `/` because then the user would be prompted with
>a certificate selection dialog even before he can see the start page of
>my application.
>
>This is my current setup which does not work because the first `server`
>definition block has higher priority. I tried to keep the example
>short, because of this you see some `...`, the ssl/tls stuff is in my
>config file but is not repeated here because I think it is not part of
>the problem.
>Replacing `server_name localhost` with `server_name myapp.local` didn't
>make any difference. I am on mainline 1.13.8
>
>http {
>    server {
>        listen 443 ssl http2;
>        server_name localhost;
>
>        ssl_certificate ...
>        ssl_certificate_key ...
>        ssl_session_cache       shared:SSL:1m;
>        include templates/ssl_setup.conf;
>
>        location / {
>            root /var/www/...;
>        }
>
>    }
>
>    server {
>        listen 443 ssl http2;
>        server_name localhost;
>
>        ssl_certificate ...
>        ssl_certificate_key ...
>        ssl_session_cache       shared:SSL:1m;
>
>        ssl_client_certificate /.../acceptedcas.pem;
>        ssl_verify_depth 2;
>        ssl_verify_client on;
>
>        location /login {
>            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
>            proxy_set_header X-SSL-Client-...
>
>            proxy_pass http://localhost:8080;
>        }
>    }
>}
>_______________________________________________
>nginx mailing list
>nginx at nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx
>
>This message contains proprietary information from Equifax which may be
>confidential. If you are not an intended recipient, please refrain from
>any disclosure, copying, distribution or use of this information and
>note that such actions are prohibited. If you have received this
>transmission in error, please notify by e-mail postmaster at equifax.com.
>Equifax® is a registered trademark of Equifax Inc. All rights reserved.
>_______________________________________________
>nginx mailing list
>nginx at nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180219/0a88eafb/attachment.html>


More information about the nginx mailing list