Welcome! Log In Create A New Profile

Advanced

RE: Clientcertificate authentication only for a single URL

Previous Message Next Message
Forum List Message List New Topic Print View
jasonw
February 19, 2018 10:38AM
I would think "location=" would solve this. What about something like the following?

server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
include templates/ssl_setup.conf;

location = /login {
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-...

proxy_pass http://localhost:8080;
}

location / {
root /var/www/...;
}
}

Jason


-----Original Message-----
From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Gbg
Sent: Monday, February 19, 2018 9:12 AM
To: nginx@nginx.org
Subject: [IE] Clientcertificate authentication only for a single URL



I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8

http {
server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
include templates/ssl_setup.conf;

location / {
root /var/www/...;
}

}

server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;

ssl_client_certificate /.../acceptedcas.pem;
ssl_verify_depth 2;
ssl_verify_client on;

location /login {
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-...

proxy_pass http://localhost:8080;
}
}
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Clientcertificate authentication only for a single URL

Gbg February 19, 2018 10:14AM

RE: Clientcertificate authentication only for a single URL

jasonw February 19, 2018 10:38AM

RE: Clientcertificate authentication only for a single URL

Gbg February 19, 2018 10:52AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 170
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready