Access to SSL Distinguished Name information in Rhoconnect Authenticate Method

Hello again,

I've got another newbie question around Rhoconnect authentication, and I'd appreciate input from anyone who can help!

I'm looking to use a client SSL certificate (and a server certificate) to secure communication between Rhoconnect client and server.  To tell NGINX to check for a valid client certificate I can add the following lines to the nginx configuration....

ssl_client_certificate /etc/nginx/certs/ca.crt;

ssl_verify_client on;

So far so good.  But what I want to do is make the distinguished name (dn) attribute from the certificate available to my authenticate method. Nginx makes this information available in a built-in variable.  I'm not sure how to get that passed to the Rhoconnect thin instance, and to my application.rb in particular.  I guess I could push it into the HTTP(s) header or something, but I'm not even really sure where/how to access that.

I've managed to find an example for doing this for PHP invoked through fastcgi - but I've not been able to figure out how to translate this to ruby/Rhoconnect.  For php you'd do this (allegedly)...

   fastcgi_param  DN $ssl_client_s_dn;

   include        fastcgi_params;

It strikes me as something that could be really useful to other enterprise users, so someone must be doing it.

Many thanks

John

Alexander Babichev
Have you had a chance to look

Have you had a chance to look at his post:

http://projects.puppetlabs.com/projects/1/wiki/Using_Mongrel_Nginx

Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Alexander Babichev
location / {   proxy_pass

location / {

   proxy_pass http://thin_cluster;

   proxy_set_header    X-Real-IP $remote_addr;

   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

   proxy_set_header    Host $http_host;

   proxy_redirect        off;

   proxy_set_header    X-Client-DN      $ssl_client_s_dn;

   proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;

   proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;

   proxy_read_timeout  65;

}

Is it what you want?

Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


John Hadfield
Alex,I hadn't seen that post,

Alex,

I hadn't seen that post, so thanks for that and your following example.  I had considered using the header to pass the information - I had two outstanding questions on doing that - which I'm yet to begin researching:

1) How can I consume the header information inside the authenticate method?

2) How can I be sure it hasn't been spoofed?

When I find out, I'll report back, but if anyone's already figured that out please post.

Thanks

John

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Alexander Babichev
On 1st question I would say

On 1st question I would say that you cannot get headers inside auth method.

Why do not use nginx abilities to check for SSL client certificate attributes  with the if directive in nginx.conf file

...

f ($ssl_client_s_dn !~ "O=some organization") {

  return 403;

}

...

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Log in to post comments