From 1e9d31277d74cead314bd2e50733397db7828f31 Mon Sep 17 00:00:00 2001 From: "Bernhard E. Reiter" Date: Tue, 14 Jun 2022 13:19:30 +0200 Subject: [PATCH] Improve nginx setup docs (#182) * Change nginx config to return 403 on unauthorized access to the non-white TLP locations. We cannot hide the existence anyway, as it is listed in the provider-metadata.json, even when restricted. --- docs/client-certificate-setup.md | 2 +- docs/scripts/TLSClientConfigsForITest.sh | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/client-certificate-setup.md b/docs/client-certificate-setup.md index 0867118..3d0a3f5 100644 --- a/docs/client-certificate-setup.md +++ b/docs/client-certificate-setup.md @@ -6,7 +6,7 @@ a web browser. ### Configure nginx Assuming the relevant server block is in `/etc/nginx/sites-enabled/default` and the CA used to verify the client certificates is under `/etc/ssl/`, adjust the content of the `server{}` block like shown in the following example: - + ```sh ssl_client_certificate '${SSL_CLIENT_CERTIFICATE}'; # e.g. ssl_client_certificate /etc/ssl/rootca-cert.pem; diff --git a/docs/scripts/TLSClientConfigsForITest.sh b/docs/scripts/TLSClientConfigsForITest.sh index 348e4a3..3d11c3e 100755 --- a/docs/scripts/TLSClientConfigsForITest.sh +++ b/docs/scripts/TLSClientConfigsForITest.sh @@ -33,9 +33,7 @@ echo ' autoindex on; # in this location access is only allowed with client certs if ($ssl_client_verify != SUCCESS){ - # we use status code 404 == "Not Found", because we do - # not want to reveal if files within this location exist or not. - return 404; + return 403; } } '> ~/${FOLDERNAME}/clientCertificateConfigs.txt