On Tue, Nov 26, 2013 at 07:19:55PM +0000, Radha Venkatesh (radvenka) wrote:
Hi there, > An additional requirement is that we have to match the client certificate > CN with an existing entry in /etc/hosts. What would be the simplest > mechanism to do this? HttpPerlModule? Uwsgi? In nginx terms, you have $remote_addr as the client IP address, and you have the variables described in http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables as "things from the certificate". I don't see CN listed there, so I suspect that whatever you do is going to involve some extra parsing of the certificate, which probably means something external or dynamic within nginx.conf. The "simplest" mechanism is probably whichever one you are most familiar with already. Whether you use an embedded language or something external, you can make sure to send the appropriate raw information to it, and let it decide whether this is good or not. You may be interested in trying http://nginx.org/r/auth_request as one possibly way of communicating the success or failure state of your check back to nginx, but it all depends on the extra code that you must write. Good luck with it, f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
