Per location ssl_verify_client
Posted by eloril
|
Per location ssl_verify_client August 23, 2011 05:11AM | Registered: 1 year ago Posts: 6 |
Hello,
I have a website with both frontend and backend in ssl.
The frontend is allowed for everybody.
But I wish the backend be allowed only with a valid client certificate.
It's url is something like that :
https://www.my_website.com/admin
I'm trying the following config :
location /admin/ { ## Allow admins only to view admin page
ssl_verify_client on;
ssl_verify_depth 1;
}
But NginX 1.0.5 complains :
nginx: [emerg] "ssl_verify_client" directive is not allowed here
With apache, you can set ssl_verify_client on a per location basis...
Regards,
Eloril
I have a website with both frontend and backend in ssl.
The frontend is allowed for everybody.
But I wish the backend be allowed only with a valid client certificate.
It's url is something like that :
https://www.my_website.com/admin
I'm trying the following config :
location /admin/ { ## Allow admins only to view admin page
ssl_verify_client on;
ssl_verify_depth 1;
}
But NginX 1.0.5 complains :
nginx: [emerg] "ssl_verify_client" directive is not allowed here
With apache, you can set ssl_verify_client on a per location basis...
Regards,
Eloril
|
Re: Per location ssl_verify_client August 25, 2011 12:38AM | Registered: 1 year ago Posts: 1 |
|
Re: Per location ssl_verify_client August 29, 2011 08:28AM | Registered: 1 year ago Posts: 6 |
I understand it is somehow difficult... But it can be very useful.
Sometimes you don't have the choice to create another domain or make the check at application level. In fact I don't have the choice, but I have to protect the admin directory...
As far as I understand, client and server do a renegotiation regularly, when the session cache expires... Then the server can perform a secure renegotiation on a per location basis relatively easily. I believe that for a server like NginX, which is very well programmed, it can be done quickly.
I'm sure a per location client certificate requirement can be a real asset in NginX.
Now, I'm evaluating NginX. I wish to migrate from apache (which supports this), but it is a real big issue for me.
Regards,
Eloril
Sometimes you don't have the choice to create another domain or make the check at application level. In fact I don't have the choice, but I have to protect the admin directory...
As far as I understand, client and server do a renegotiation regularly, when the session cache expires... Then the server can perform a secure renegotiation on a per location basis relatively easily. I believe that for a server like NginX, which is very well programmed, it can be done quickly.
I'm sure a per location client certificate requirement can be a real asset in NginX.
Now, I'm evaluating NginX. I wish to migrate from apache (which supports this), but it is a real big issue for me.
Regards,
Eloril
|
Re: Per location ssl_verify_client October 29, 2011 05:45PM | Registered: 1 year ago Posts: 6 |
Hello,
I have tried the solution proposed by Igor Sysoev :
http://forum.nginx.org/read.php?29,173747
Despite the fact it can be a little tricky with php-fpm, I did it.
After a phase of testing, I applied it on a production server... but some times it doesn't work at all and the website is totally anavailable !
When you set
ssl_verify_client optional;
and do something like that
location ^~ /my_private_directory { ## Allow admins only to view admin page
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($request_filename ~ .php$) {
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/tmp/php-fpm.sock;
}
}
then with Firefox and Chrome it is always ok, but with safari (for windows) it is not the case. If another certificate is installed on the user machine, then Safari display the certificate dialog to choose a certificate... Despite the fact no valid certificate are available !!!
I have some users with ie6 that have complained this is also the case sometime...
Please allow a per location ssl_verify_client (like apache).
Regards,
Eloril
I have tried the solution proposed by Igor Sysoev :
http://forum.nginx.org/read.php?29,173747
Despite the fact it can be a little tricky with php-fpm, I did it.
After a phase of testing, I applied it on a production server... but some times it doesn't work at all and the website is totally anavailable !
When you set
ssl_verify_client optional;
and do something like that
location ^~ /my_private_directory { ## Allow admins only to view admin page
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($request_filename ~ .php$) {
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/tmp/php-fpm.sock;
}
}
then with Firefox and Chrome it is always ok, but with safari (for windows) it is not the case. If another certificate is installed on the user machine, then Safari display the certificate dialog to choose a certificate... Despite the fact no valid certificate are available !!!
I have some users with ie6 that have complained this is also the case sometime...
Please allow a per location ssl_verify_client (like apache).
Regards,
Eloril
|
Re: Per location ssl_verify_client December 27, 2011 05:22AM | Registered: 1 year ago Posts: 5 |
|
Re: Per location ssl_verify_client December 28, 2011 04:11AM | Registered: 1 year ago Posts: 6 |
Hello,
No, it's not 2 SSL certs tied to the same IP. I have one SSL certificate installed, and one server certificate to verify clients (the "ssl_verify_client on" instruction).
To connect to the public part of the website, no client certificate are required, but to view some specials pages, a client certificate is mandatory.
With Apache, you can for the root location indicate that there is no verification, and for some locations, you can indicate that client verification is required. When the user browse from one location without verification to one with verification required, apache makes a ssl renegotiation.
With Nginx it is impossible, due to the fact it doesn't support (yet) path based client ssl verification.
I have tried the solution proposed by Igor Sysoev : http://forum.nginx.org/read.php?29,173747
But with some browser, clients cannot connect to the public part of the website.
Path based client ssl verification with NginX will be huge improvement for me.
Regards,
Eloril
No, it's not 2 SSL certs tied to the same IP. I have one SSL certificate installed, and one server certificate to verify clients (the "ssl_verify_client on" instruction).
To connect to the public part of the website, no client certificate are required, but to view some specials pages, a client certificate is mandatory.
With Apache, you can for the root location indicate that there is no verification, and for some locations, you can indicate that client verification is required. When the user browse from one location without verification to one with verification required, apache makes a ssl renegotiation.
With Nginx it is impossible, due to the fact it doesn't support (yet) path based client ssl verification.
I have tried the solution proposed by Igor Sysoev : http://forum.nginx.org/read.php?29,173747
But with some browser, clients cannot connect to the public part of the website.
Path based client ssl verification with NginX will be huge improvement for me.
Regards,
Eloril
Sorry, only registered users may post in this forum.
Online Users
Guests:
101
Record Number of Users:
3
on May 21, 2013
Record Number of Guests:
104
on May 21, 2013
This forum is powered by Phorum.
 |  |  |  |
|