Clientcertificate authentication only for a single URL

Jason Whittington Jason.Whittington at equifax.com
Mon Feb 19 15:35:59 UTC 2018


I would think "location=" would solve this.  What about something like the following?

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location = /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }

        location  / {
            root /var/www/...;
        }
    }

Jason


-----Original Message-----
From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Gbg
Sent: Monday, February 19, 2018 9:12 AM
To: nginx at nginx.org
Subject: [IE] Clientcertificate authentication only for a single URL



I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8

http {
    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location / {
            root /var/www/...;
        }

    }

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;

        ssl_client_certificate /.../acceptedcas.pem;
        ssl_verify_depth 2;
        ssl_verify_client on;

        location /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }
    }
}
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.


More information about the nginx mailing list