Hello again,
I've got another newbie question around Rhoconnect authentication, and I'd appreciate input from anyone who can help!
I'm looking to use a client SSL certificate (and a server certificate) to secure communication between Rhoconnect client and server. To tell NGINX to check for a valid client certificate I can add the following lines to the nginx configuration....
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
So far so good. But what I want to do is make the distinguished name (dn) attribute from the certificate available to my authenticate method. Nginx makes this information available in a built-in variable. I'm not sure how to get that passed to the Rhoconnect thin instance, and to my application.rb in particular. I guess I could push it into the HTTP(s) header or something, but I'm not even really sure where/how to access that.
I've managed to find an example for doing this for PHP invoked through fastcgi - but I've not been able to figure out how to translate this to ruby/Rhoconnect. For php you'd do this (allegedly)...
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
It strikes me as something that could be really useful to other enterprise users, so someone must be doing it.
Many thanks
John
Have you had a chance to look at his post:
http://projects.puppetlabs.com/projects/1/wiki/Using_Mongrel_Nginx
Points: 1
You voted ‘up’
location / {
proxy_pass http://thin_cluster;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
Is it what you want?
Points: 1
You voted ‘up’
Alex,
I hadn't seen that post, so thanks for that and your following example. I had considered using the header to pass the information - I had two outstanding questions on doing that - which I'm yet to begin researching:
1) How can I consume the header information inside the authenticate method?
2) How can I be sure it hasn't been spoofed?
When I find out, I'll report back, but if anyone's already figured that out please post.
Thanks
John
Points: 0
You voted ‘up’
On 1st question I would say that you cannot get headers inside auth method.
Why do not use nginx abilities to check for SSL client certificate attributes with the
if
directive in nginx.conf file...
f ($ssl_client_s_dn !~ "O=some organization") {
return 403;
}
...
Points: 0
You voted ‘up’