<html><head></head><body>I think this will set the headers only for the login URL but still ask for the certificate on all URLs. And this is not what I need, I only want to have to present a certificate for a single URL<br>
<br><br><div class="gmail_quote">Am 19. Februar 2018 16:35:59 MEZ schrieb Jason Whittington <Jason.Whittington@equifax.com>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">I would think "location=" would solve this. What about something like the following?<br><br> server {<br> listen 443 ssl http2;<br> server_name localhost;<br><br> ssl_certificate ...<br> ssl_certificate_key ...<br> ssl_session_cache shared:SSL:1m;<br> include templates/ssl_setup.conf;<br><br> location = /login {<br> proxy_set_header X-SSL-Client-Serial $ssl_client_serial;<br> proxy_set_header X-SSL-Client-...<br><br> proxy_pass <a href="http://localhost:8080">http://localhost:8080</a>;<br> }<br><br> location / {<br> root /var/www/...;<br> }<br> }<br><br>Jason<br><br><br>-----Original Message-----<br>From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Gbg<br>Sent: Monday, February 19, 2018 9:12 AM<br>To: nginx@nginx.org<br>Subject: [IE] Clientcertificate authentication only for a single URL<br><br><br><br>I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.<br>Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.<br><br>This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.<br>Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8<br><br>http {<br> server {<br> listen 443 ssl http2;<br> server_name localhost;<br><br> ssl_certificate ...<br> ssl_certificate_key ...<br> ssl_session_cache shared:SSL:1m;<br> include templates/ssl_setup.conf;<br><br> location / {<br> root /var/www/...;<br> }<br><br> }<br><br> server {<br> listen 443 ssl http2;<br> server_name localhost;<br><br> ssl_certificate ...<br> ssl_certificate_key ...<br> ssl_session_cache shared:SSL:1m;<br><br> ssl_client_certificate /.../acceptedcas.pem;<br> ssl_verify_depth 2;<br> ssl_verify_client on;<br><br> location /login {<br> proxy_set_header X-SSL-Client-Serial $ssl_client_serial;<br> proxy_set_header X-SSL-Client-...<br><br> proxy_pass <a href="http://localhost:8080">http://localhost:8080</a>;<br> }<br> }<br>}<br><hr><br>nginx mailing list<br>nginx@nginx.org<br><a href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a><br><br>This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.<br><hr><br>nginx mailing list<br>nginx@nginx.org<br><a href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a></pre></blockquote></div><br>
-- <br>
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.</body></html>