Hello everyone,
I'm toying with SSL client certificates and added it to cb_admin.
My patches assume you run a reverse proxy in front of CB. The proxy does
the SSL-handling and passes the results as header entries to CB.
For example, in nginx:
...
ssl on;
ssl_certificate /path-to/server-chained.cert;
ssl_certificate_key /path-to/server.privkey.pem;
ssl_client_certificate /path-to/cacert-root.crt; ## we require
clients to be signed by this CA.
ssl_verify_client optional; ## let
ssl_verify_depth 9;
location / {
proxy_pass
http://127.0.0.1:8001;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify; ## Returns
SUCCESS, FAILED, or NONE
proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; ## subject DN
proxy_set_header X-SSL-Client-I-DN $ssl_client_i_dn; ## issuer DN
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
}
You can configure the certificate authority in boss.config with the
CACert Root certificate:
...
{cb_admin, [
{path, "../cb_admin"},
%% {allow_ip_blocks, []},
{require_client_cert, [
{request_header, "X-SSL-Client-Verify", ["SUCCESS"]},
{request_header, "X-SSL-CLient-I-DN",
[ "/O=Root CA/OU=
http://www.cacert.org/CN=CA Cert
Signing Authority/emailAddress=
sup...@cacert.org" ]},
{request_header, "X-SSL-CLient-S-DN", [
"/CN=My Name/emailAddress=
m...@example.com",
"/CN=My Trusted
Colleague/emailAddress=
h...@where-ever.com" ]}
]}, ...
It checks to see that the certificate matches the CA and the user is one
of the two people we trust admin access.
The controllers change their before_ function to:
before_(_) ->
cb_admin_lib:require_authentication(Req).
See the patches for implementation details.
Cheers, Guido Witmond.