On Tue, Nov 26, 2013 at 07:19:55PM +0000, Radha Venkatesh (radvenka) wrote:

Hi there,

> An additional requirement is that we have to match the client certificate
> CN with an existing entry in /etc/hosts. What would be the simplest
> mechanism to do this? HttpPerlModule? Uwsgi?

In nginx terms, you have $remote_addr as the client IP address, and you
have the variables described in

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

as "things from the certificate".

I don't see CN listed there, so I suspect that whatever you do is going
to involve some extra parsing of the certificate, which probably means
something external or dynamic within nginx.conf.

The "simplest" mechanism is probably whichever one you are most familiar
with already.

Whether you use an embedded language or something external, you can make
sure to send the appropriate raw information to it, and let it decide
whether this is good or not.

You may be interested in trying http://nginx.org/r/auth_request as one
possibly way of communicating the success or failure state of your check
back to nginx, but it all depends on the extra code that you must write.

Good luck with it,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx