On Wed, Nov 27, 2013 at 12:01:16AM +0000, Radha Venkatesh (radvenka) wrote:

Hi there,

> I found the below snippet which could provide me the cn from the certificate.

Great, now you have a variable to hold the CN that you want to do
something with.

> What would be the easiest way to compare this with an entry in /etc/hosts? Do we need an external module to do this?
>

I think you need some form of programming, if you want to read /etc/hosts
"live" each time -- you can try whatever language you have compiled in
to your nginx, or you can use any one of the *_pass directives to talk
to whatever you write in the language of your choice.

If you are happy to statically write the contents of /etc/hosts into
your nginx.conf, so that it is only read on startup, you could probably
do it all in config: use another "map" to check that $ssl_client_s_dn_cn
is one of your expected values:

map $ssl_client_s_dn_cn $is_cn_in_etc_hosts {
default "no";
hostname1 "yes";
host2.example.com "yes";
}

Or you could check that the matching ip address is the same as
$remote_addr, if that is what you want:

map $ssl_client_s_dn_cn $what_ip_should_cn_have {
default "";
hostname1 "127.0.0.3";
host2.example.com "127.0.0.4";
}

and then compare $what_ip_should_cn_have with $remote_addr.

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx