You are here: Foswiki>Main Web>NginxWebserver>NginxSSLClientAuth (19 Jun 2010, AvishaiIshShalom)EditAttach

Nginx SSL Client Authentication

Nginx has the ability to verify SSL client certificate, but unfortunately there is no directive equivalent to Apache's SSLRequire or SSLRequireSSL Checking for SSL client certificate attributes is possible (although limited) with the if directive, like so: 
if ($ssl_client_s_dn !~ "O=some organization") {
  return 403;
}
But if you want basic auth as secondary authentication, some config-fu is necessary: 
location /protected {
  if ($ssl_client_verify = "SUCCESS") {
    set $auth "V";
  if ($ssl_client_s_dn ~ "O=some organization") {
    set $auth "${auth}S";
  }
  if ($auth !~ "VS|B") {
    error_page 401 @auth;
    return 401;
  }
}
location @auth {
  auth_basic "secure site";
  auth_basic_user_file /etc/nginx/htpasswd;
  set $auth "B";
  rewrite /protected(.*) /protected$1;
}
This looks promising, but still suffers from nginx not having any way to fake basic auth, cause you can't set $remote_user. If your program is SSL auth aware, you might get away with this. I originally tried the above config for awstats and failed miserably.

-- AvishaiIshShalom - 11 Jun 2010
Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r3 - 19 Jun 2010 - 13:11:24 - AvishaiIshShalom
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback