Clientcertificate authentication only for a single URL
Gbg
garbage at gmx.de
Mon Feb 19 15:12:23 UTC 2018
I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.
This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8
http {
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
include templates/ssl_setup.conf;
location / {
root /var/www/...;
}
}
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
ssl_client_certificate /.../acceptedcas.pem;
ssl_verify_depth 2;
ssl_verify_client on;
location /login {
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-...
proxy_pass http://localhost:8080;
}
}
}
More information about the nginx
mailing list