Setting up client side user authentication with mTLS
March 02, 2023 11:26AM

I'm working on a web page which doesn't have very high security needs, but I still would like to ensure that only my unit can access the admin pages. Unfortunately it relies on third-party software that requires an admin page. It's running on a VPS, I don't have physical access to the server.

So far, I did it simple. I set up a site with a server block which contains the autogenerated letsencrypt boilerplate code. The block has a single location / which allows entry to my IP address only, like this

server {

location / {
allow <my-ip-address>;
deny all;
proxy_pass etc...

letsencrypt boilerplate...

Of course the admin page also has a strong password protection. I thought this was a hacky solution as I don't think my IP is constant from the ISP, probably it's enough that I restart my router then it changes. Then I thought, since TLS is based on a similar protocol as ssh, maybe I could restrict access to only those who has my private RSA key, which would be me. Just like I do with ssh. So, I created a self signed certificate on my local machine like this:

$ openssl genrsa -des3 -out client.key 2048
$ openssl req -key client.key -new -out client.csr
$ openssl x509 -signkey client.key -in client.csr -req -days 365 -out client.crt
$ openssl pkcs12 -inkey client.key -in client.crt -export -legacy -out client.pfx

I had to add the -legacy option on the last command, because otherwise my macos keychain wouldn't import it. Now, naive as I was, I thought all I had to do was to upload the client.crt file to the server, and then add the following lines to the server block in my nginx configuration file, just below the letsencrypt boilerplate:

ssl_client_certificate /home/username/client.crt;
ssl_verify_client on;

Now, when I try to visit it with Google Chrome, I get a 400 error - "No required SSL certificate was sent". However, the machine never asks me for one either. I have read loads of tutorials on how to tell Chrome to send the certificate, and they all tell me to import the client.pfx file into the macos Keychain Access, so that's what I've done. Any other way to restrict access to only my unit would also be great, if it's easier.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 219
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready