Question about client certs

Hi

Is it possible with nginx to do this

https://www.abc.com
/
/noclientcert/
/clientcert/

so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.

Looks like from the config doco you can only set it for the whole tree

A

Alex Samad:

Is it possible with nginx to do this

https://www.abc.com
/
/noclientcert/
/clientcert/

so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.

as far as I learned it’s not possible and the usual answer
to such feature requests is: “use different virtual hosts”

Andreas

Your question shows you need to understand how HTTP over TLS works.

TLS enciphers HTTP content, thus nothing is readable (either headers or
body).
How do you select the right certificate based on HTTP content? You
can’t.

Wait, Host-HTTP-Header-based certificate delivery exists, how is that
possible?
With TLS it is basically impossible, but it works though a TLS extension
called Server Name Indication (SNI). nginx docs talk about that:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

Now what you ask requires access to enciphered HTTP content.
Short answer: there is no way to do that, you will need to use different
servers, either using SNI (as Andreas suggested) or separate IP
addresses.

B. R.

Dear Alex.

Am 02-02-2016 04:32, schrieb Alex Samad:

so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.

Looks like from the config doco you can only set it for the whole tree

I would try to use this directives

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
http://nginx.org/en/docs/http/ngx_http_map_module.html

and in a map make something like this.

map $ssl_client_cert $clientcert {
default “”;
“~.*CLIENT_CERT_CHECK” clientcert;
}

and

location $clientcert {
}

location no$clientcert {
}

is this possible ;-)?

BR Aleks

Am 02-02-2016 23:22, schrieb Alex Samad:

Yep I think thats what i was asking.

Cool it would be nice if you can tell us if it’s works and how was your
solution :wink:

BR Aleks

Yep I think thats what i was asking.

We have a home grown RP at work that does it and IIS used to do it,
apply cert requirements on part of the tree.

On Wed, Feb 03, 2016 at 09:37:25AM +0100, Aleksandar L. wrote:

Am 02-02-2016 23:22, schrieb Alex Samad:

Hi there,

Cool it would be nice if you can tell us if it’s works and how was
your solution :wink:

I think that “location” does not take variables, and so this will
not work.

More below.

On 2 February 2016 at 20:56, Aleksandar L. [email protected] wrote:

Am 02-02-2016 04:32, schrieb Alex Samad:

Looks like from the config doco you can only set it for the
whole tree …

Untested by me, but if you set

ssl_verify_client optional;

and then within your

location ^~ /clientcert/ {}

you have something like

if ($ssl_client_verify != SUCCESS) { return 403; }

would that fit your needs?

(If the content below /clientcert/ is all handled by an external
process,
then possibly it could do its own validation or verification using
values
provided by nginx.)

http://nginx.org/r/$ssl_client_verify for some details.

Good luck with it,

f

Francis D. [email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs