Tweak Nginx Webserver with limited Client Certificate
Page content
Install NGINX & PHP
pkg_add nginx php--%7.3
rcctl enable nginx php73_fpm
Edit php.ini
sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/' /etc/php-7.3.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/' /etc/php-7.3.ini
nginx.conf
mkdir /var/log/nginx
cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes 1;
worker_rlimit_nofile 1024;
events {
worker_connections 800;
}
http {
include mime.types;
default_type application/octet-stream;
index index.php index.html index.htm;
keepalive_timeout 65;
server_tokens off;
proxy_cache_valid any 0s;
log_format main '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent';
map $ssl_client_serial $ssl_access {
default 0;
WFuDgzQBZXV740D3 1; # Hans Muster
EDugUslEX1Et90WX 0; # Beat Breu
2DF3C663741296F5 1; # Ruedi Ruessel
}
#
# HTTP -> Redirect to HTTPS
#
server {
listen 80;
server_name localhost;
access_log logs/host.access.log main;
return 301 https://$host$request_uri;
}
#
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
access_log /var/log/nginx/puffy205.log main;
error_log /var/log/nginx/puffy205-error.log;
ssl_certificate /etc/ssl/combo/host.crt;
ssl_certificate_key /etc/ssl/combo/host.crt;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
ssl_prefer_server_ciphers on;
ssl_client_certificate /etc/ssl/combo/root.crt;
ssl_verify_client optional;
root /var/www/htdocs;
location / {
# Block if no Cert
if ($ssl_client_verify != SUCCESS) {
return 403;
}
# Block if not whitelisted
if ($ssl_access = 0) {
return 403;
}
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;
include fastcgi_params;
}
}
}
EOF
Root Cert, Server Cert
mkdir -p /etc/ssl/combo/
cat << 'EOF' > /etc/ssl/combo/host.crt
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIIaGXwEvomrIYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0yMDA0MDIxNTE1
MDBaFw0yMjA2MTExNTE1MDBaMGIxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxGDAW
BgNVBAMTD3B1ZmZ5MjA1LnBsYW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKiWF3qZvvXDPxuwhMHE3WDIQIJvRPKmBQQsEnnn598tD+W7aeSgvnZ3
Oel3n4WRl6syNF3CLPo3EbMy8VgZrCOul8Uvjro9WLZeL7tG5CndRFZu9Erzq2Ic
KodQGxEc3jC3UxFypr4OuUAigrlWi5dRp3dhzP4/xqQ42c1axPoI/YDzIdw5O6WZ
QWZf0YfsAIbbkw3YymLBoZQxyBmhasaU6xBnIAMLuYA6IVqz3QoGHxDr8bij34y5
TRb0575TzTdAtmWhN3GE+xGOJ/KPQ6MZjaA9oz15bMVuVg1uZgUXE5K22kx6eZLk
ejhV4nxnokftPJBZfaC9LbX661B9GTUCAwEAAaOBqzCBqDAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT9D1+1pNUT3SuAfeptzaeszgUivTALBgNVHQ8EBAMCBeAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IPcHVmZnkyMDUucGxhbmV0gghw
dWZmeTIwNTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBj
ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAKfRir/cZkKdeoDWV5qN3NNw/
AWNJZjkA6KvFwuXjvMR00/vlaqTuOOBKEU5CtxnHDKhfpkjSnX7ynoJXoAQYkNag
3reSKkFZ1TX1yz/Pf/f8YLbiA3e1hx9E0E5gAENtYB6vkZh5quhRnqsHSJpJP6H6
IYaZLh7w4+RL5qvQmN1tlyKwInrJmY6jsLPhALUDFQewDPJDla/iJ6ivlHsvCtMC
MA/slsJ2iWaHbAIzCXZyBeJHR949zJvja0jJPJHVDknsKypO9WEeMclaSoY1AfVI
dGg5W8ahwxuwX2e3ygbORoG0R1Qoeqdp8+VRvOpxM4R97NPtkEq/XPgrtWnoyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqJYXepm+9cM/G7CEwcTdYMhAgm9E8qYFBCwSeefn3y0P5btp
...
AsoXCZvnbPzWsP8M2JokEngD0201NZN8/aBuDi0+aF1b3xA1vtKumdM=
-----END RSA PRIVATE KEY-----
EOF
chmod 440 /etc/ssl/combo/host.crt
cat << 'EOF' > /etc/ssl/combo/root.crt
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIIe1F3tBzaragwDQYJKoZIhvcNAQEMBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0xOTA2MDUyMDA0
MDBaFw0yOTA2MDUyMDA0MDBaMFoxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxEDAO
BgNVBAMTB3Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
kBixlR0b3tE7Db6CuFTYeKdSGbnLx2Df8zir0ueFlv6JX5rLgbWbb5rMnWOH1O1N
AmCbuh0CrXD1evl1Glyf3hmumIvW4GVfWcQNvBsq1iUfoJn24qGnTu502xX1Gv5F
TCOxq2HqdLEwsktl2Pn76/49quj1PlBSSpYLWBsvqj1NkNIXgMzUjBURF+fEtRby
SE5RLbw+fubAw1e9K3Xu5VLgItno3g9t2B4MKTApsCZsOR288kedrAUxFhyB2pD/
6L9sbyM1h5r+EMjAzyeTeUKtXXqC+AyLthkw3eB58UY/QxpoNiggQY+5yd57yzxK
Ox1QHh+kj2+8eK5b3+pFAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8FFqfTRx/lTT0qfF/tEknHS7LSMAsGA1UdDwQEAwIBBjARBglghkgBhvhC
AQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG
9w0BAQwFAAOCAQEATzFY8H0EX+yFWEgRtGNciIp0WsQ53cjRnNxdkDsW+W2gB+cs
QdS2LBoWts5jLHXrZstJAoy1qyEhqyYvXFMf4SsfKsrXfli7fgod5figyVjhmz41
6v/Ss668kyjWOYkY3CYqPTJolxDuIpMIq/AMGurlcf6oTDdP/FPs4nvdGed16Qjp
849n7r+ugQKrbDC4VpDXcZECXlQjI3QgUeXKqly0LXcwqFXqC3+m1O6YTwyIFrLy
8ZyWjAKN4NdKd88eiczvEj3uQVXhqkbmiEyp3q5jsXcQLzblJ0aCABqppvGLgASq
Z9QeBLjqhJ3DIcgKcHqJsox+xKrDLtIvgYmaOg==
-----END CERTIFICATE-----
EOF
chmod 440 /etc/ssl/combo/root.crt
index.php
cat << 'EOF' > /var/www/htdocs/index.php
Hi <?
$array = [
"WFuDgzQBZXV740D3" => "Hans Muster",
"EDugUslEX1Et90WX" => "Beat Breu",
"2DF3C663741296F5" => "Ruedi Ruessel"
];
echo $array[$_SERVER['SSL_CLIENT_SERIAL']];
?>, your Certificat Serial Number is
<?
echo $_SERVER['SSL_CLIENT_SERIAL'];
?>
EOF
Start all stuff
rcctl restart nginx php73_fpm
Open Webpage:
Any Comments ?
sha256: f553b9894b989fb8a8a05a0b5222725825c54059243afc31164168137d2c3215