Client certificate authentication for cb_admin

138 views
Skip to first unread message

Guido Witmond

unread,
May 15, 2012, 7:33:20 AM5/15/12
to chica...@googlegroups.com

Hello everyone,

I'm toying with SSL client certificates and added it to cb_admin.

My patches assume you run a reverse proxy in front of CB. The proxy does
the SSL-handling and passes the results as header entries to CB.

For example, in nginx:
...
ssl on;
ssl_certificate /path-to/server-chained.cert;
ssl_certificate_key /path-to/server.privkey.pem;
ssl_client_certificate /path-to/cacert-root.crt; ## we require
clients to be signed by this CA.
ssl_verify_client optional; ## let
ssl_verify_depth 9;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify; ## Returns
SUCCESS, FAILED, or NONE
proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; ## subject DN
proxy_set_header X-SSL-Client-I-DN $ssl_client_i_dn; ## issuer DN
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
}


You can configure the certificate authority in boss.config with the
CACert Root certificate:
...
{cb_admin, [
{path, "../cb_admin"},
%% {allow_ip_blocks, []},
{require_client_cert, [
{request_header, "X-SSL-Client-Verify", ["SUCCESS"]},
{request_header, "X-SSL-CLient-I-DN",
[ "/O=Root CA/OU=http://www.cacert.org/CN=CA Cert
Signing Authority/emailAddress=sup...@cacert.org" ]},
{request_header, "X-SSL-CLient-S-DN", [
"/CN=My Name/emailAddress=m...@example.com",
"/CN=My Trusted
Colleague/emailAddress=h...@where-ever.com" ]}
]}, ...

It checks to see that the certificate matches the CA and the user is one
of the two people we trust admin access.


The controllers change their before_ function to:
before_(_) ->
cb_admin_lib:require_authentication(Req).



See the patches for implementation details.


Cheers, Guido Witmond.


cb_admin.patch
signature.asc
Reply all
Reply to author
Forward
0 new messages