Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Abakumov2016-02-24 15:30:54
Nginx
Alexander Abakumov, 2016-02-24 15:30:54

Proxying in nginx with client certificates?

Good health to all colleagues.
Straight to the point.
There is an Apache server, on it access to aliases on client certificates is configured. Apache itself works without any complaints, but now I want scalability due to the increase in hosts that require ssl.
We have one white IP, inside behind the NAT there is a server on which Apache is spinning and people are authorized on it using certificates. Port 443 is just forwarded to this machine. Now I want to install NGINX on the router, which will proxy requests to the desired server.
The task is to leave the possibility to log in using certificates.
there are presumably 3 aliases in the patch:
/user
/admin
/guest
in Apache candy is written like this:


SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +OptRenegotiate
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/ssl/ca.cer"
SSLRequire %{SSL_CLIENT_S_DN_Email} eq "[email protected]" and %{SSL_CLIENT_M_SERIAL} eq "Serial-1" \
or %{SSL_CLIENT_S_DN_Email} eq "[email protected]" and %{SSL_CLIENT_M_SERIAL} eq "Serial-2" \
or %{SSL_CLIENT_M_SERIAL} eq "Serial-3" \
or % {SSL_CLIENT_S_DN_Email} eq "[email protected]" and %{SSL_CLIENT_M_SERIAL} eq "Serial-4" \
or %{SSL_CLIENT_M_SERIAL} eq "Serial-5"

The thing is that only admins and users should have access to /user.
in /admin only admins
in /guest all and users and admins and guests.
I was thinking about making authorization in NginX, but there is no possibility to use nested conditions or "or" values ​​(OR,AND,||,&&). I tried to write in candy like this:
# if ($ssl_client_serial !~ "Serial-1") { return 401;}
# if ($ssl_client_serial !~ "Serial-2") { return 401;}
# if ($ssl_client_serial !~ "Serial-3") { return 401;}

But in case of a mismatch at least one, it throws out with a 401st error.
I tried to use map, but it can only be used in the http{} directive.
I want to:
either check the certificate in nginx, with access restriction,
or forward / proxy the certificate to Apache, so that it can already check the certificate.
Can you please tell me how this can be done?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Alexey S., 2016-02-24
@nops

you can do something like this, if you remake your version:

# set $true 0;
# if ($ssl_client_serial = "Serial-1") {set $true 1;}
# if ($ssl_client_serial = "Serial-2") {set $true 1;}
# if ($ssl_client_serial = "Serial-3") {set $true 1;} 
# if ($true=0) {return 401;}

Similar questions
V
viktortokarev8822018-03-08 00:21:44
phpmyadmin. “File not found” error (php-fpm)? 1Reply
M
mulligan2015-10-31 23:01:38
Is it possible to choose with my nginx what Cloudflare will give? 1Reply
W
Weageoo2011-11-17 01:29:42
How to organize a highly loaded TCP server? 3Reply
N
NO_GLITCH2018-03-10 00:09:57
How to properly use map+stream in nginx? 0Reply
K
keks0002018-03-11 09:47:05
How to compress a photo and cache from another site? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question