Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
blake
/
epri-vtn_custom
İzle 1
Yıldızla 0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

PROD-1704: Pass TLS client cert variables to EPRI rails app as header

Allows EPRI to perform CN validation
Blake Schneider 6 yıl önce
ebeveyn
f678520200
işleme
b91c1bd0fe
1 değiştirilmiş dosya ile 26 ekleme ve 20 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 26 20
      nginx.conf

+ 26 - 20
nginx.conf
Dosyayı Görüntüle 

@@ -1,28 +1,28 @@
 
-server {
 
-    listen       80;
 
-    server_name  localhost;
 
-
 
-    # Don't advertise
 
-    server_tokens off;
 
-
 
-    # Don't merge slashes
 
-    merge_slashes off;
 
-
 
-    root /dev/null;
 
-
 
-      location / {
 
-        proxy_set_header  X-Real-IP        $remote_addr;
 
-        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
 
-        proxy_set_header  Host             $http_host;
 
-        proxy_redirect    off;
 
-        proxy_pass http://vtn-rails:8080;
 
-      }
 
+map $ssl_client_s_dn $ssl_client_s_dn_cn {
 
+	default "no_client_cert";
 
+	~(^|,)CN=(?<CN>[^,]+) $CN;
 
 }
 
 
 server {
 
-    listen 443 ssl default_server;
 
+    listen 443 ssl;
 
     server_name localhost;
 
     root /dev/null;
 
+    
+    # TODO: once the JACE sends an official Kyrio cert, this can be set to 
+    # 'on' so the trust-chain is verified against the CA certs in ssl.crt.
 
+    # Also may require tuning of ssl_verify_depth directive.
 
+
 
+    # In its current state EPRI will validate that the client cert's CN
 
+    # is correct, but in theory someone could spoof it with a self-signed
 
+    # certificate containing the "correct" CN.
 
+
 
+    # Also note that webui admin routes will likely be hit without a client
 
+    # cert, so you will probably want to either:
 
+    # a) have a seperate server/vhost for VEN traffic vs. admin traffic
 
+    # b) leave ssl_verify_client at optional or optional_no_ca, and match
 
+    #    on $ssl_client_verify in a location block.
 
+
 
+    ssl_verify_client optional_no_ca;
 
 
     # Don't advertise
 
     server_tokens off;
 
@@ -38,6 +38,12 @@ server {
 
         proxy_set_header  X-Forwarded-Ssl on;
 
         proxy_set_header  X-Forwarded-Port $server_port;
 
         proxy_set_header  X-Forwarded-Host $host;
 
+
 
+        # these next two headers are consumed by EPRI to validate client cert
 
+        # CN vs. EPRI VEN Common Name.
 
+        proxy_set_header  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; 
+        proxy_set_header  HTTPS true;
 
+        
         proxy_redirect    off;
 
         proxy_pass http://vtn-rails:8080;
 
     }