2905a30cc0
* Improve nginx setup to transfer auth information to the fcgiwrap backend. * Add instructions for creating client certs for testing. * Add debug output to see if and which client cert has been used when calling the csaf_provider.go .
1.6 KiB
Client-Certificate based authentication
Assuming the userA.pfx file is available, which can be imported into a web browser.
Configure nginx
Assuming the relevant server block is in /etc/nginx/sites-enabled/default,
adjust it like show in the following example:
server {
# Other Config
# ...
ssl_client_certificate /etc/ssl/rootca-cert.pem;
ssl_verify_client optional;
ssl_verify_depth 2;
# This example allows access to all three TLP locations for all certs.
location ~ /.well-known/csaf/(red|green|amber)/{
autoindex on;
# in this location access is only allowed with client certs
if ($ssl_client_verify != SUCCESS){
# we use status code 404 == "Not Found", because we do not
# want to reveal if this location exists or not.
return 404;
}
}
}
This will restrict the access to the defined paths in the location
directive to only authenticated client certificates issued by the CAs
which are configured with ssl_client_certificate.
If you want to restrict each path of green, amber and red
differently, you could use several location blocks
each which a single if that matches the $ssl_client_i_dn variable
to CAs that you would want to allow for that location.
Reload or restart nginx to apply the changes (e.g. systemctl reload nginx
on Debian or Ubuntu.)
To test this see development-client-certs.md and
- From the browser after importing the
testclient1.p12: nagivate to the protected directories. - With curl:
curl https://{serverURL}/.well-known/csaf/red/ --cert-type p12 --cert testclient1.crt