Hi
Is it possible with nginx to do this
/
/noclientcert/
/clientcert/
so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.
Looks like from the config doco you can only set it for the whole tree
…
A
Alex Samad:
Is it possible with nginx to do this
https://www.abc.com
/
/noclientcert/
/clientcert/so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.
as far as I learned it’s not possible and the usual answer
to such feature requests is: “use different virtual hosts”
Andreas
Your question shows you need to understand how HTTP over TLS works.
TLS enciphers HTTP content, thus nothing is readable (either headers or
body).
How do you select the right certificate based on HTTP content? You
can’t.
Wait, Host-HTTP-Header-based certificate delivery exists, how is that
possible?
With TLS it is basically impossible, but it works though a TLS extension
called Server Name Indication (SNI). nginx docs talk about that:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers
B. R.
Dear Alex.
Am 02-02-2016 04:32, schrieb Alex Samad:
so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don’t need a cert.Looks like from the config doco you can only set it for the whole tree
…
I would try to use this directives
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
http://nginx.org/en/docs/http/ngx_http_map_module.html
and in a map make something like this.
map $ssl_client_cert $clientcert {
default “”;
“~.*CLIENT_CERT_CHECK” clientcert;
}
and
location $clientcert {
}
location no$clientcert {
}
is this possible ;-)?
BR Aleks
Am 02-02-2016 23:22, schrieb Alex Samad:
Yep I think thats what i was asking.
Cool it would be nice if you can tell us if it’s works and how was your
solution 
BR Aleks
Yep I think thats what i was asking.
We have a home grown RP at work that does it and IIS used to do it,
apply cert requirements on part of the tree.
On Wed, Feb 03, 2016 at 09:37:25AM +0100, Aleksandar L. wrote:
Am 02-02-2016 23:22, schrieb Alex Samad:
Hi there,
Cool it would be nice if you can tell us if it’s works and how was
your solution
I think that “location” does not take variables, and so this will
not work.
More below.
On 2 February 2016 at 20:56, Aleksandar L. [email protected] wrote:
Am 02-02-2016 04:32, schrieb Alex Samad:
Looks like from the config doco you can only set it for the
whole tree …
Untested by me, but if you set
ssl_verify_client optional;
and then within your
location ^~ /clientcert/ {}
you have something like
if ($ssl_client_verify != SUCCESS) { return 403; }
would that fit your needs?
(If the content below /clientcert/ is all handled by an external
process,
then possibly it could do its own validation or verification using
values
provided by nginx.)
Module ngx_http_ssl_module for some details.
Good luck with it,
Francis D. [email protected]
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs