Need to compare client certificate CN with an entry in /etc/hosts
Francis Daly
francis at daoine.org
Wed Nov 27 23:07:12 UTC 2013
On Wed, Nov 27, 2013 at 12:01:16AM +0000, Radha Venkatesh (radvenka) wrote:
Hi there,
> I found the below snippet which could provide me the cn from the certificate.
Great, now you have a variable to hold the CN that you want to do
something with.
> What would be the easiest way to compare this with an entry in /etc/hosts? Do we need an external module to do this?
>
I think you need some form of programming, if you want to read /etc/hosts
"live" each time -- you can try whatever language you have compiled in
to your nginx, or you can use any one of the *_pass directives to talk
to whatever you write in the language of your choice.
If you are happy to statically write the contents of /etc/hosts into
your nginx.conf, so that it is only read on startup, you could probably
do it all in config: use another "map" to check that $ssl_client_s_dn_cn
is one of your expected values:
map $ssl_client_s_dn_cn $is_cn_in_etc_hosts {
default "no";
hostname1 "yes";
host2.example.com "yes";
}
Or you could check that the matching ip address is the same as
$remote_addr, if that is what you want:
map $ssl_client_s_dn_cn $what_ip_should_cn_have {
default "";
hostname1 "127.0.0.3";
host2.example.com "127.0.0.4";
}
and then compare $what_ip_should_cn_have with $remote_addr.
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list