Welcome! Log In Create A New Profile

Advanced

How to reject ssl_client_verify FAILED requests and allow SUCCESS/NONE results

Posted by imrsk 
How to reject ssl_client_verify FAILED requests and allow SUCCESS/NONE results
February 17, 2022 01:07AM
I'm enabling client certificate authentication in Nginx with "ssl_verify_client" set to "optional_no_ca".
I'm planning to allow the requests either if it is validated successfully or if there's no client cert submitted.

Client cert Results I wish to allow are:
ssl_client_verify - SUCCESS allow
ssl_client_verify - NONE allow
ssl_client_verify - FAILED reject all failed cases

I've come up with the following two regexes to achieve the above

location / {
if ( $ssl_client_verify ~ FAILED ){return 403 "Unauthenticated";}
proxy_pass http://app;
}

(or)

location / {
if ( $ssl_client_verify ~ (SUCCESS|NONE) ){ proxy_pass http://app; }
return 403 "Unauthenticated";
}



I'm not expertized in Nginx regexes. Hence, I just wanted to review whether this regex is secure enough to reject all possible failure cases.

Is there any other better way to do this. Thanks in advance.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 81
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready