Welcome! Log In Create A New Profile

Advanced

Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka)
November 26, 2013 02:22PM
I am a newbie to Nginx. We plan to use nginx as a reverse proxy to tomcat and node js on our systems. We plan to use MTLS to secure server to server communication (between nginx on different servers). An additional requirement is that we have to match the client certificate CN with an existing entry in /etc/hosts. What would be the simplest mechanism to do this? HttpPerlModule? Uwsgi?
Below is the config we have used to prototype nginx as reverse proxy with MTLS.

server {

listen 443 ssl;

server_name localhost;



error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/share/nginx/html;

}



#SSL Certs

#SSL Certs

ssl_certificate /etc/nginx/locations.d/b7k-vma170.crt;

ssl_certificate_key /etc/nginx/locations.d/b7k-vma170.key;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers RC4:HIGH:!aNULL:!MD5:AES128-SHA:AES256-SHA:RC4-SHA:@STRENGTH;

ssl_client_certificate /etc/nginx/locations.d/root-ca.crt;

ssl_verify_client on;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;



keepalive_timeout 70;



include /etc/nginx/locations.d/*.conf;

include /var/nginx/locations.d/*.conf;

deny all;
}
ip-allow.conf contents

allow 10.94.12.148;

allow 10.94.12.165;

deny all;


webapps.conf contents

location / {

root /var/lib/tomcat/webapps;

proxy_pass http://127.0.0.1:8082;



proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-Proto https;

proxy_redirect off;



proxy_connect_timeout 1200;

proxy_send_timeout 1200;

proxy_read_timeout 1200;

}

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka) November 26, 2013 02:22PM

Re: Need to compare client certificate CN with an entry in /etc/hosts

Jonathan Matthews November 26, 2013 02:56PM

RE: Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka) November 26, 2013 05:50PM

RE: Need to compare client certificate CN with an entry in /etc/hosts

GreenGecko November 26, 2013 05:56PM

Re: Need to compare client certificate CN with an entry in /etc/hosts

Jonathan Matthews November 26, 2013 06:02PM

Re: Need to compare client certificate CN with an entry in /etc/hosts

Francis Daly November 26, 2013 06:16PM

RE: Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka) November 26, 2013 07:02PM

Re: Need to compare client certificate CN with an entry in /etc/hosts

Francis Daly November 27, 2013 06:08PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 105
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready