Home Esplora Aiuto
Registrati Accedi
blake
/
epri-vtn_custom
Segui 1
Vota 0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

Merged in PROD-1704 (pull request #2)

PROD-1704: Pass TLS client cert variables to EPRI rails app as header

Approved-by: Christopher DeMoll
Blake Schneider 6 anni fa
parent
f678520200 b91c1bd0fe
commit
2ac0b6d002
1 ha cambiato i file con 26 aggiunte e 20 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 26 20
      nginx.conf

+ 26 - 20
nginx.conf
Vedi File 

@@ -1,28 +1,28 @@
 
-server {
 
-    listen       80;
 
-    server_name  localhost;
 
-
 
-    # Don't advertise
 
-    server_tokens off;
 
-
 
-    # Don't merge slashes
 
-    merge_slashes off;
 
-
 
-    root /dev/null;
 
-
 
-      location / {
 
-        proxy_set_header  X-Real-IP        $remote_addr;
 
-        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
 
-        proxy_set_header  Host             $http_host;
 
-        proxy_redirect    off;
 
-        proxy_pass http://vtn-rails:8080;
 
-      }
 
+map $ssl_client_s_dn $ssl_client_s_dn_cn {
 
+	default "no_client_cert";
 
+	~(^|,)CN=(?<CN>[^,]+) $CN;
 
 }
 
 
 server {
 
-    listen 443 ssl default_server;
 
+    listen 443 ssl;
 
     server_name localhost;
 
     root /dev/null;
 
+    
+    # TODO: once the JACE sends an official Kyrio cert, this can be set to 
+    # 'on' so the trust-chain is verified against the CA certs in ssl.crt.
 
+    # Also may require tuning of ssl_verify_depth directive.
 
+
 
+    # In its current state EPRI will validate that the client cert's CN
 
+    # is correct, but in theory someone could spoof it with a self-signed
 
+    # certificate containing the "correct" CN.
 
+
 
+    # Also note that webui admin routes will likely be hit without a client
 
+    # cert, so you will probably want to either:
 
+    # a) have a seperate server/vhost for VEN traffic vs. admin traffic
 
+    # b) leave ssl_verify_client at optional or optional_no_ca, and match
 
+    #    on $ssl_client_verify in a location block.
 
+
 
+    ssl_verify_client optional_no_ca;
 
 
     # Don't advertise
 
     server_tokens off;
 
@@ -38,6 +38,12 @@ server {
 
         proxy_set_header  X-Forwarded-Ssl on;
 
         proxy_set_header  X-Forwarded-Port $server_port;
 
         proxy_set_header  X-Forwarded-Host $host;
 
+
 
+        # these next two headers are consumed by EPRI to validate client cert
 
+        # CN vs. EPRI VEN Common Name.
 
+        proxy_set_header  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; 
+        proxy_set_header  HTTPS true;
 
+        
         proxy_redirect    off;
 
         proxy_pass http://vtn-rails:8080;
 
     }