SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions
gocsaf/docs/client-certificate-setup.md
Bernhard Reiter ae776306e2
Fix typo
2022-02-14 16:38:40 +01:00

1 KiB
Raw Blame History

Client-Certificate based authentication

Assuming the userA.pfx file is available, which can be imported into a web browser.

Configure nginx

Assuming the relevant server block is in /etc/nginx/sites-enabled/default, adjust it like shown in the following example:

server {
    # Other Config
    # ...

    ssl_client_certificate /etc/ssl/ca.crt;
    ssl_verify_client optional;
    ssl_verify_depth 2;

    location ~* /.well-known/csaf/(red|green|amber)/{
        autoindex on;a
        if  ($ssl_client_verify != SUCCESS){
            return 403;
        }
    }

}

This will restrict the access to the defined paths in the location directive to only authenticated client certificates.

Reload or restart nginx to apply the changes (e.g. systemctl reload nginx on Debian or Ubuntu.)

To test this:

  • From the browser after importing the userA.pfx and the navigation to the protected directories.
  • With curl: curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key.