I think this will set the headers only for the login URL but still ask for the certificate on all URLs. And this is not what I need, I only want to have to present a certificate for a single URL


Am 19. Februar 2018 16:35:59 MEZ schrieb Jason Whittington <Jason.Whittington@equifax.com>:
>I would think "location=" would solve this. What about something like
>the following?
>
> server {
> listen 443 ssl http2;
> server_name localhost;
>
> ssl_certificate ...
> ssl_certificate_key ...
> ssl_session_cache shared:SSL:1m;
> include templates/ssl_setup.conf;
>
> location = /login {
> proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
> proxy_set_header X-SSL-Client-...
>
> proxy_pass http://localhost:8080;
> }
>
> location / {
> root /var/www/...;
> }
> }
>
>Jason
>
>
>-----Original Message-----
>From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Gbg
>Sent: Monday, February 19, 2018 9:12 AM
>To: nginx@nginx.org
>Subject: [IE] Clientcertificate authentication only for a single URL
>
>
>
>I need to secure only a single URL on my server by demanding or
>enforcing client certificate based authentication. My application is
>called by opening "myapp.local" and if necessary it logs in a user by
>issuing a call to "myapp.local/login". I can not create a second
>hostname to do the login, so specifying a second `server` with
>`server_name myapplogin.local` does not work.
>Because the login is not necessary all the time I do not want to
>encorce ssl_verify for `/` because then the user would be prompted with
>a certificate selection dialog even before he can see the start page of
>my application.
>
>This is my current setup which does not work because the first `server`
>definition block has higher priority. I tried to keep the example
>short, because of this you see some `...`, the ssl/tls stuff is in my
>config file but is not repeated here because I think it is not part of
>the problem.
>Replacing `server_name localhost` with `server_name myapp.local` didn't
>make any difference. I am on mainline 1.13.8
>
>http {
> server {
> listen 443 ssl http2;
> server_name localhost;
>
> ssl_certificate ...
> ssl_certificate_key ...
> ssl_session_cache shared:SSL:1m;
> include templates/ssl_setup.conf;
>
> location / {
> root /var/www/...;
> }
>
> }
>
> server {
> listen 443 ssl http2;
> server_name localhost;
>
> ssl_certificate ...
> ssl_certificate_key ...
> ssl_session_cache shared:SSL:1m;
>
> ssl_client_certificate /.../acceptedcas.pem;
> ssl_verify_depth 2;
> ssl_verify_client on;
>
> location /login {
> proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
> proxy_set_header X-SSL-Client-...
>
> proxy_pass http://localhost:8080;
> }
> }
>}
>_______________________________________________
>nginx mailing list
>nginx@nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx
>
>This message contains proprietary information from Equifax which may be
>confidential. If you are not an intended recipient, please refrain from
>any disclosure, copying, distribution or use of this information and
>note that such actions are prohibited. If you have received this
>transmission in error, please notify by e-mail postmaster@equifax.com.
>Equifax® is a registered trademark of Equifax Inc. All rights reserved.
>_______________________________________________
>nginx mailing list
>nginx@nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet._______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx