Hello,

I have a website with both frontend and backend in ssl.

The frontend is allowed for everybody.

But I wish the backend be allowed only with a valid client certificate.
It's url is something like that :
https://www.my_website.com/admin

I'm trying the following config :
location /admin/ { ## Allow admins only to view admin page
ssl_verify_client on;
ssl_verify_depth 1;
}

But NginX 1.0.5 complains :
nginx: [emerg] "ssl_verify_client" directive is not allowed here

With apache, you can set ssl_verify_client on a per location basis...

Regards,
Eloril

path based client ssl verification is messy as it requires the client/server to do a (secure) renegotiation.

You're better off doing a separate domain or make it ssl_verify_client optional at the top level and check the compliance at application level.

I understand it is somehow difficult... But it can be very useful.

Sometimes you don't have the choice to create another domain or make the check at application level. In fact I don't have the choice, but I have to protect the admin directory...

As far as I understand, client and server do a renegotiation regularly, when the session cache expires... Then the server can perform a secure renegotiation on a per location basis relatively easily. I believe that for a server like NginX, which is very well programmed, it can be done quickly.

I'm sure a per location client certificate requirement can be a real asset in NginX.

Now, I'm evaluating NginX. I wish to migrate from apache (which supports this), but it is a real big issue for me.

Regards,
Eloril

Hello,

I have tried the solution proposed by Igor Sysoev :
http://forum.nginx.org/read.php?29,173747

Despite the fact it can be a little tricky with php-fpm, I did it.

After a phase of testing, I applied it on a production server... but some times it doesn't work at all and the website is totally anavailable !

When you set
ssl_verify_client optional;

and do something like that
location ^~ /my_private_directory { ## Allow admins only to view admin page
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if ($request_filename ~ .php$) {
expires off; ## Do not cache dynamic content
fastcgi_pass unix:/tmp/php-fpm.sock;
}
}

then with Firefox and Chrome it is always ok, but with safari (for windows) it is not the case. If another certificate is installed on the user machine, then Safari display the certificate dialog to choose a certificate... Despite the fact no valid certificate are available !!!

I have some users with ie6 that have complained this is also the case sometime...

Please allow a per location ssl_verify_client (like apache).

Regards,
Eloril

I'm a little confused. You want 2 SSL certs tied to the same IP? One for /admin/ and one for everything else?

Hello,

No, it's not 2 SSL certs tied to the same IP. I have one SSL certificate installed, and one server certificate to verify clients (the "ssl_verify_client on" instruction).

To connect to the public part of the website, no client certificate are required, but to view some specials pages, a client certificate is mandatory.

With Apache, you can for the root location indicate that there is no verification, and for some locations, you can indicate that client verification is required. When the user browse from one location without verification to one with verification required, apache makes a ssl renegotiation.

With Nginx it is impossible, due to the fact it doesn't support (yet) path based client ssl verification.

I have tried the solution proposed by Igor Sysoev : http://forum.nginx.org/read.php?29,173747

But with some browser, clients cannot connect to the public part of the website.

Path based client ssl verification with NginX will be huge improvement for me.

Regards,
Eloril