Welcome! Log In Create A New Profile

Advanced

Per location ssl_verify_client

Posted by eloril 
Per location ssl_verify_client
August 23, 2011 05:11AM
Hello,

I have a website with both frontend and backend in ssl.

The frontend is allowed for everybody.

But I wish the backend be allowed only with a valid client certificate.
It's url is something like that :
https://www.my_website.com/admin

I'm trying the following config :
location /admin/ { ## Allow admins only to view admin page
ssl_verify_client on;
ssl_verify_depth 1;
}

But NginX 1.0.5 complains :
nginx: [emerg] "ssl_verify_client" directive is not allowed here

With apache, you can set ssl_verify_client on a per location basis...

Regards,
Eloril
Re: Per location ssl_verify_client
August 25, 2011 12:38AM
path based client ssl verification is messy as it requires the client/server to do a (secure) renegotiation.

You're better off doing a separate domain or make it ssl_verify_client optional at the top level and check the compliance at application level.
Re: Per location ssl_verify_client
August 29, 2011 08:28AM
I understand it is somehow difficult... But it can be very useful.

Sometimes you don't have the choice to create another domain or make the check at application level. In fact I don't have the choice, but I have to protect the admin directory...

As far as I understand, client and server do a renegotiation regularly, when the session cache expires... Then the server can perform a secure renegotiation on a per location basis relatively easily. I believe that for a server like NginX, which is very well programmed, it can be done quickly.

I'm sure a per location client certificate requirement can be a real asset in NginX.

Now, I'm evaluating NginX. I wish to migrate from apache (which supports this), but it is a real big issue for me.

Regards,
Eloril
Re: Per location ssl_verify_client
October 29, 2011 05:45PM
Hello,

I have tried the solution proposed by Igor Sysoev :
http://forum.nginx.org/read.php?29,173747

Despite the fact it can be a little tricky with php-fpm, I did it.

After a phase of testing, I applied it on a production server... but some times it doesn't work at all and the website is totally anavailable !

When you set
ssl_verify_client optional;

and do something like that
location ^~ /my_private_directory { ## Allow admins only to view admin page
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($request_filename ~ .php$) {
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/tmp/php-fpm.sock;
}
}

then with Firefox and Chrome it is always ok, but with safari (for windows) it is not the case. If another certificate is installed on the user machine, then Safari display the certificate dialog to choose a certificate... Despite the fact no valid certificate are available !!!

I have some users with ie6 that have complained this is also the case sometime...

Please allow a per location ssl_verify_client (like apache).

Regards,
Eloril
Re: Per location ssl_verify_client
December 27, 2011 05:22AM
I'm a little confused. You want 2 SSL certs tied to the same IP? One for /admin/ and one for everything else?
Re: Per location ssl_verify_client
December 28, 2011 04:11AM
Hello,

No, it's not 2 SSL certs tied to the same IP. I have one SSL certificate installed, and one server certificate to verify clients (the "ssl_verify_client on" instruction).

To connect to the public part of the website, no client certificate are required, but to view some specials pages, a client certificate is mandatory.

With Apache, you can for the root location indicate that there is no verification, and for some locations, you can indicate that client verification is required. When the user browse from one location without verification to one with verification required, apache makes a ssl renegotiation.

With Nginx it is impossible, due to the fact it doesn't support (yet) path based client ssl verification.

I have tried the solution proposed by Igor Sysoev : http://forum.nginx.org/read.php?29,173747

But with some browser, clients cannot connect to the public part of the website.

Path based client ssl verification with NginX will be huge improvement for me.

Regards,
Eloril
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 79
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready