Need client cert common name as user
Igor Sysoev
igor at sysoev.ru
Wed Sep 21 03:38:02 UTC 2011
On Wed, Sep 21, 2011 at 03:05:26AM +0400, Maxim Dounin wrote:
> Hello!
>
> On Tue, Sep 20, 2011 at 06:39:08PM -0400, sailorfred wrote:
>
> > I'm in the process of converting from lighttpd to nginx, but I'm not
> > finding an equivalent of the lighttpd directive:
> >
> > ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
> >
> > This sets the REMOTE_USER environment variable for the backend FastCGI
> > process, and logs the common name into the access log.
> >
> > Is it possible to do this in nginx?
>
> There is no direct replacement. If you are ok with full cert subject
> DN as a user name, use something like this:
>
> fastcgi_pass ...
> fastcgi_param REMOTE_USER $ssl_client_s_dn;
> ...
>
> Extracting only CN should be possible with "if" directive, though
> will require writing some regexp to parse CN from DN. (And please
> make sure to read http://wiki.nginx.org/IfIsEvil as "if" may cause
> problems by itself if used in location context.)
The "map" directive with regex can be used instead of "if",
something like this:
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
};
--
Igor Sysoev
More information about the nginx
mailing list