Client

Tweak Nginx Webserver with limited Client Certificate

Install NGINX & PHP

pkg_add nginx php--%7.3
rcctl enable nginx php73_fpm

Edit php.ini

sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/'  /etc/php-7.3.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/'  /etc/php-7.3.ini

nginx.conf

mkdir /var/log/nginx

cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes  1;

worker_rlimit_nofile 1024;

events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.php index.html index.htm;

    keepalive_timeout  65;

    server_tokens off;

    proxy_cache_valid any 0s;

    log_format  main  '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent';

    map $ssl_client_serial $ssl_access {
      default 0;
      WFuDgzQBZXV740D3 1;   # Hans Muster
      EDugUslEX1Et90WX 0;   # Beat Breu
      2DF3C663741296F5 1;   # Ruedi Ruessel
    }
    #
    # HTTP -> Redirect to HTTPS
    #
    server {
        listen        80;
        server_name   localhost;
        access_log    logs/host.access.log  main;
        return 301    https://$host$request_uri;
    }
    #
    # HTTPS server
    #
    server {
        listen        443 ssl;
        server_name   localhost;
        access_log    /var/log/nginx/puffy205.log main;
        error_log     /var/log/nginx/puffy205-error.log;

        ssl_certificate             /etc/ssl/combo/host.crt;
        ssl_certificate_key         /etc/ssl/combo/host.crt;
        ssl_session_timeout         5m;
        ssl_session_cache           shared:SSL:1m;
        ssl_ciphers                 HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate      /etc/ssl/combo/root.crt;
        ssl_verify_client           optional;

        root                        /var/www/htdocs;

        location / {
          # Block if no Cert
          if ($ssl_client_verify != SUCCESS) {
            return 403;
          }
          # Block if not whitelisted
          if ($ssl_access = 0) {
            return 403;
          }
        }

        location ~ \.php$ {
          try_files      $uri $uri/ =404;
          fastcgi_pass   unix:run/php-fpm.sock;
          fastcgi_index  index.php;
          fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param  SSL_CLIENT_SERIAL $ssl_client_serial;
          include        fastcgi_params;
        }
    }
}
EOF

Root Cert, Server Cert

mkdir -p /etc/ssl/combo/
cat << 'EOF' > /etc/ssl/combo/host.crt
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIIaGXwEvomrIYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0yMDA0MDIxNTE1
MDBaFw0yMjA2MTExNTE1MDBaMGIxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxGDAW
BgNVBAMTD3B1ZmZ5MjA1LnBsYW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKiWF3qZvvXDPxuwhMHE3WDIQIJvRPKmBQQsEnnn598tD+W7aeSgvnZ3
Oel3n4WRl6syNF3CLPo3EbMy8VgZrCOul8Uvjro9WLZeL7tG5CndRFZu9Erzq2Ic
KodQGxEc3jC3UxFypr4OuUAigrlWi5dRp3dhzP4/xqQ42c1axPoI/YDzIdw5O6WZ
QWZf0YfsAIbbkw3YymLBoZQxyBmhasaU6xBnIAMLuYA6IVqz3QoGHxDr8bij34y5
TRb0575TzTdAtmWhN3GE+xGOJ/KPQ6MZjaA9oz15bMVuVg1uZgUXE5K22kx6eZLk
ejhV4nxnokftPJBZfaC9LbX661B9GTUCAwEAAaOBqzCBqDAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT9D1+1pNUT3SuAfeptzaeszgUivTALBgNVHQ8EBAMCBeAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IPcHVmZnkyMDUucGxhbmV0gghw
dWZmeTIwNTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBj
ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAKfRir/cZkKdeoDWV5qN3NNw/
AWNJZjkA6KvFwuXjvMR00/vlaqTuOOBKEU5CtxnHDKhfpkjSnX7ynoJXoAQYkNag
3reSKkFZ1TX1yz/Pf/f8YLbiA3e1hx9E0E5gAENtYB6vkZh5quhRnqsHSJpJP6H6
IYaZLh7w4+RL5qvQmN1tlyKwInrJmY6jsLPhALUDFQewDPJDla/iJ6ivlHsvCtMC
MA/slsJ2iWaHbAIzCXZyBeJHR949zJvja0jJPJHVDknsKypO9WEeMclaSoY1AfVI
dGg5W8ahwxuwX2e3ygbORoG0R1Qoeqdp8+VRvOpxM4R97NPtkEq/XPgrtWnoyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqJYXepm+9cM/G7CEwcTdYMhAgm9E8qYFBCwSeefn3y0P5btp
...
AsoXCZvnbPzWsP8M2JokEngD0201NZN8/aBuDi0+aF1b3xA1vtKumdM=
-----END RSA PRIVATE KEY-----
EOF
chmod 440 /etc/ssl/combo/host.crt

cat << 'EOF' > /etc/ssl/combo/root.crt
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIIe1F3tBzaragwDQYJKoZIhvcNAQEMBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0xOTA2MDUyMDA0
MDBaFw0yOTA2MDUyMDA0MDBaMFoxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxEDAO
BgNVBAMTB3Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
kBixlR0b3tE7Db6CuFTYeKdSGbnLx2Df8zir0ueFlv6JX5rLgbWbb5rMnWOH1O1N
AmCbuh0CrXD1evl1Glyf3hmumIvW4GVfWcQNvBsq1iUfoJn24qGnTu502xX1Gv5F
TCOxq2HqdLEwsktl2Pn76/49quj1PlBSSpYLWBsvqj1NkNIXgMzUjBURF+fEtRby
SE5RLbw+fubAw1e9K3Xu5VLgItno3g9t2B4MKTApsCZsOR288kedrAUxFhyB2pD/
6L9sbyM1h5r+EMjAzyeTeUKtXXqC+AyLthkw3eB58UY/QxpoNiggQY+5yd57yzxK
Ox1QHh+kj2+8eK5b3+pFAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8FFqfTRx/lTT0qfF/tEknHS7LSMAsGA1UdDwQEAwIBBjARBglghkgBhvhC
AQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG
9w0BAQwFAAOCAQEATzFY8H0EX+yFWEgRtGNciIp0WsQ53cjRnNxdkDsW+W2gB+cs
QdS2LBoWts5jLHXrZstJAoy1qyEhqyYvXFMf4SsfKsrXfli7fgod5figyVjhmz41
6v/Ss668kyjWOYkY3CYqPTJolxDuIpMIq/AMGurlcf6oTDdP/FPs4nvdGed16Qjp
849n7r+ugQKrbDC4VpDXcZECXlQjI3QgUeXKqly0LXcwqFXqC3+m1O6YTwyIFrLy
8ZyWjAKN4NdKd88eiczvEj3uQVXhqkbmiEyp3q5jsXcQLzblJ0aCABqppvGLgASq
Z9QeBLjqhJ3DIcgKcHqJsox+xKrDLtIvgYmaOg==
-----END CERTIFICATE-----
EOF
chmod 440 /etc/ssl/combo/root.crt

index.php

cat << 'EOF' > /var/www/htdocs/index.php
Hi <?
  $array = [
    "WFuDgzQBZXV740D3" => "Hans Muster",
    "EDugUslEX1Et90WX" => "Beat Breu",
    "2DF3C663741296F5" => "Ruedi Ruessel"
  ];
  echo $array[$_SERVER['SSL_CLIENT_SERIAL']];
?>, your Certificat Serial Number is
<?
  echo $_SERVER['SSL_CLIENT_SERIAL'];
?>
EOF

Start all stuff

rcctl restart nginx php73_fpm

Open Webpage:

puffy205

Openbsd Nginx with Client Authentication

Requirement

/etc/httpd.conf

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

server "*" {
  listen on * port 8080
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

/etc/nginx/nginx.conf

# Take note of http://wiki.nginx.org/Pitfalls

#user  www;
worker_processes  1;

#load_module "modules/ngx_stream_module.so";

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  syslog:server=unix:/dev/log,severity=notice;

#pid        logs/nginx.pid;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    #access_log  logs/access.log  main;

    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        root         /var/www/htdocs;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root  /var/www/htdocs;
        }
    }


    # HTTPS server
    server {
        listen       443 ssl;
        server_name  localhost;
        root         /var/www/htdocs;

        ssl_certificate      /etc/ssl/puffy201.planet.crt;
        ssl_certificate_key  /etc/ssl/private/puffy201.planet.key;

        ssl_session_timeout  5m;
        ssl_session_cache    shared:SSL:1m;

        ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate /etc/ssl/root_ca.crt;
        ssl_verify_client optional;


    location /secure
    {
        if ($ssl_client_verify != SUCCESS) {
             return 403;
        }

        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
    }

    location /
    {
        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
      }
    }
}

Any Comments ?

sha256: 66399e64ba490e0bdaa65dac27a679891a89c1a99ae57055b73fb3839cb2ee76

Nginx with Client Certificate

NGINX with Client Certificates

root@debian:/etc/nginx/sites-available#
server {
  listen 80;
  listen [::]:80;

  server_name host198.planet;
  root /var/www/host198.planet;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name host198.planet;
  root /var/www/host198.planet;

  ssl_certificate /etc/ssl/private/fullchain.crt;
  ssl_certificate_key /etc/ssl/private/host198.planet.key;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_client_certificate /etc/ssl/private/ca.crt;
  ssl_verify_client optional;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  #location / {
  #        try_files $uri $uri/ =404;
  #}
  location / {
    # if the client-side certificate failed to authenticate, show a 403
    # message to the client
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }
  }
}

Any Comments ?

sha256: dbf64919ee3864f77b78f71f2b4b70d6794d96dd3dbbe1ae9ce3442cda571c26