1.9 KiB
Client-Certificate based authentication
Assuming the userA.pfx file is available, which can be imported into a web browser.
Configure nginx
Assuming the relevant server block is in /etc/nginx/sites-enabled/default,
adjust it like shown in the following example:
server {
# Other Config
# ...
ssl_client_certificate /etc/ssl/rootca-cert.pem;
ssl_verify_client optional;
ssl_verify_depth 2;
# This example allows access to all three TLP locations for all certs.
location ~ /.well-known/csaf/(red|green|amber)/{
autoindex on;
# in this location access is only allowed with client certs
if ($ssl_client_verify != SUCCESS){
# we use status code 404 == "Not Found", because we do not
# want to reveal if this location exists or not.
return 404;
}
}
}
This will restrict the access to the defined paths in the location
directive to only authenticated client certificates issued by the CAs
which are configured with ssl_client_certificate.
If you want to restrict each path of green, amber and red
differently, you could use several location blocks
each which a single if that matches the $ssl_client_i_dn variable
to CAs that you would want to allow for that location.
Reload or restart nginx to apply the changes (e.g. systemctl reload nginx
on Debian or Ubuntu.)
To test this see development-client-certs.md and
- From the browser after importing the
testclient1.p12: nagivate to the protected directories. - With curl:
curl https://{serverURL}/.well-known/csaf/red/ --cert-type p12 --cert testclient1.p12. (If the server uses self-signed certifcate one of the following options should be added to thecurlcommand:--insecureto disable the verification,--cacert {CA-Certificate-File}to pass the CA-Certificate that verifies the server).