Per location ssl_verify

Per location ssl_verify_client Hello, I have a website with both frontend and backend in ssl. The frontend is allowed for everybody. But I wish the backend be allowed only with a valid client certificate. It's url is something like that : https://www.my_website.com/admin I'm trying the following config : location /admin/ { ## Allow admins only to view admin page ssl_verify_client on; ssl_verify_depth 1; } But NginX 1.0.5 complains : nginx: [emerg] "ssl_verify_client" directive is not allowed here With apache, you can set ssl_verify_client on a per location basis... Regards, Elorilhttp://forum.nginx.org/read.php?10,214169,214169#msg-214169Fri, 24 May 2013 18:08:19 -0400 Phorum 5.2.16 http://forum.nginx.org/read.php?10,214169,220578#msg-220578 Re: Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,220578#msg-220578
No, it's not 2 SSL certs tied to the same IP. I have one SSL certificate installed, and one server certificate to verify clients (the "ssl_verify_client on" instruction).

To connect to the public part of the website, no client certificate are required, but to view some specials pages, a client certificate is mandatory.

With Apache, you can for the root location indicate that there is no verification, and for some locations, you can indicate that client verification is required. When the user browse from one location without verification to one with verification required, apache makes a ssl renegotiation.

With Nginx it is impossible, due to the fact it doesn't support (yet) path based client ssl verification.

I have tried the solution proposed by Igor Sysoev : http://forum.nginx.org/read.php?29,173747

But with some browser, clients cannot connect to the public part of the website.

Path based client ssl verification with NginX will be huge improvement for me.

Regards,
Eloril]]> eloril Ideas and Feature RequestsWed, 28 Dec 2011 04:11:42 -0500 http://forum.nginx.org/read.php?10,214169,220531#msg-220531 Re: Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,220531#msg-220531 trojan2748 Ideas and Feature RequestsTue, 27 Dec 2011 05:22:56 -0500 http://forum.nginx.org/read.php?10,214169,217529#msg-217529 Re: Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,217529#msg-217529
I have tried the solution proposed by Igor Sysoev :
http://forum.nginx.org/read.php?29,173747

Despite the fact it can be a little tricky with php-fpm, I did it.

After a phase of testing, I applied it on a production server... but some times it doesn't work at all and the website is totally anavailable !

When you set
ssl_verify_client optional;

and do something like that
location ^~ /my_private_directory { ## Allow admins only to view admin page
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($request_filename ~ .php$) {
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/tmp/php-fpm.sock;
}
}

then with Firefox and Chrome it is always ok, but with safari (for windows) it is not the case. If another certificate is installed on the user machine, then Safari display the certificate dialog to choose a certificate... Despite the fact no valid certificate are available !!!

I have some users with ie6 that have complained this is also the case sometime...

Please allow a per location ssl_verify_client (like apache).

Regards,
Eloril]]> eloril Ideas and Feature RequestsSat, 29 Oct 2011 17:45:36 -0400 http://forum.nginx.org/read.php?10,214169,214430#msg-214430 Re: Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,214430#msg-214430
Sometimes you don't have the choice to create another domain or make the check at application level. In fact I don't have the choice, but I have to protect the admin directory...

As far as I understand, client and server do a renegotiation regularly, when the session cache expires... Then the server can perform a secure renegotiation on a per location basis relatively easily. I believe that for a server like NginX, which is very well programmed, it can be done quickly.

I'm sure a per location client certificate requirement can be a real asset in NginX.

Now, I'm evaluating NginX. I wish to migrate from apache (which supports this), but it is a real big issue for me.

Regards,
Eloril]]> eloril Ideas and Feature RequestsMon, 29 Aug 2011 08:28:37 -0400 http://forum.nginx.org/read.php?10,214169,214277#msg-214277 Re: Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,214277#msg-214277
You're better off doing a separate domain or make it ssl_verify_client optional at the top level and check the compliance at application level.]]> daniel.b Ideas and Feature RequestsThu, 25 Aug 2011 00:38:52 -0400 http://forum.nginx.org/read.php?10,214169,214169#msg-214169 Per location ssl_verify_clienthttp://forum.nginx.org/read.php?10,214169,214169#msg-214169
I have a website with both frontend and backend in ssl.

The frontend is allowed for everybody.

But I wish the backend be allowed only with a valid client certificate.
It's url is something like that :
https://www.my_website.com/admin

I'm trying the following config :
location /admin/ { ## Allow admins only to view admin page
ssl_verify_client on;
ssl_verify_depth 1;
}

But NginX 1.0.5 complains :
nginx: [emerg] "ssl_verify_client" directive is not allowed here

With apache, you can set ssl_verify_client on a per location basis...

Regards,
Eloril]]> eloril Ideas and Feature RequestsTue, 23 Aug 2011 05:11:26 -0400