mirror of
https://github.com/gocsaf/csaf.git
synced 2025-12-22 18:15:42 +01:00
47 lines
1.6 KiB
Markdown
47 lines
1.6 KiB
Markdown
# Client-Certificate based authentication
|
|
|
|
Assuming the userA.pfx file is available, which can be imported into
|
|
a web browser.
|
|
|
|
### Configure nginx
|
|
Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`,
|
|
adjust it like shown in the following example:
|
|
|
|
```
|
|
server {
|
|
# Other Config
|
|
# ...
|
|
|
|
ssl_client_certificate /etc/ssl/rootca-cert.pem;
|
|
ssl_verify_client optional;
|
|
ssl_verify_depth 2;
|
|
|
|
# This example allows access to all three TLP locations for all certs.
|
|
location ~ /.well-known/csaf/(red|green|amber)/{
|
|
autoindex on;
|
|
# in this location access is only allowed with client certs
|
|
if ($ssl_client_verify != SUCCESS){
|
|
# we use status code 404 == "Not Found", because we do not
|
|
# want to reveal if this location exists or not.
|
|
return 404;
|
|
}
|
|
}
|
|
}
|
|
```
|
|
This will restrict the access to the defined paths in the ```location```
|
|
directive to only authenticated client certificates issued by the CAs
|
|
which are configured with `ssl_client_certificate`.
|
|
|
|
If you want to restrict each path of `green`, `amber` and `red`
|
|
differently, you could use several location blocks
|
|
each which a single `if` that matches the `$ssl_client_i_dn` variable
|
|
to CAs that you would want to allow for that location.
|
|
|
|
Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
|
|
on Debian or Ubuntu.)
|
|
|
|
To test this see [development-client-certs.md](development-client-certs.md) and
|
|
* From the browser after importing the `testclient1.p12`:
|
|
nagivate to the protected directories.
|
|
* With curl: `curl https://{serverURL}/.well-known/csaf/red/ --cert-type p12 --cert testclient1.crt`
|
|
|