Nginx通过证书进行身份验证

时间:2020-06-25 20:34:44

标签: nginx lua ldap certificate

对不起,我的英语。

我们有这样的配置并且可以使用,但是我不喜欢它。

我检查用户证书,我需要使用nginx来检查用户AD组的成员。

我在BASH上有一个脚本,该脚本在文件夹“ / etc / nginx / g_cert_users / {CN_FROM_AD}”中创建文件。然后,当客户端连接时,我从客户端证书($ ssl_client_s_dn)中拉出CN,并检查是否存在具有该名称的文件。

我如何立即在ldap中发出请求,该用户是组的成员吗?

server {
        listen   443 ssl;
        server_name  my.domain.ua;
        access_log /var/log/nginx/access-my_domain.ua.log combined_ssl;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error_id_domain-ua.log  debug;
keepalive_timeout 70;
        ssl                  on;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_certificate /etc/ssl/certs/domain_chain.pem;
        ssl_certificate_key /etc/ssl/private/star_domain_ua.key;
        #ssl_client_certificate /etc/nginx/domain_sbca.crt;
        ssl_client_certificate /etc/nginx/PKI_SBCA01_1.pem;
        ssl_trusted_certificate /etc/nginx/PKI_RTCA_1.pem;
        ssl_verify_client on;
        ssl_verify_depth 2;
        ssl_session_timeout  25m;
        ssl_session_cache   shared:SSL:10m;
        ssl_protocols      TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    add_header Strict-Transport-Security "max-age=31536000";
        error_page 510 /510.html;
        error_page 509 /509.html;
        location = /510.html {
           root   /var/www/html;
           allow all;
        }
        location = /509.html {
           root   /var/www/html;
           allow all;
        }
    location = /403.html {
           root   /var/www/html;
           allow all;
        }
        location / {
if ($ssl_client_s_dn ~* "CN=(.*)") { set "$cn_user" "$1"; }
if (!-f "/etc/nginx/g_cert_users/$cn_user" ) { return 403; }
proxy_pass https://mm.domain.ua;
}

0 个答案:

没有答案
相关问题
最新问题