2
0
mirror of https://github.com/opnsense/docs synced 2024-11-17 03:25:33 +00:00
opensense-docs/source/manual/how-tos/nginx_tls_auth.rst

57 lines
1.8 KiB
ReStructuredText
Raw Normal View History

=========================================
nginx: TLS Authentication & Authorization
=========================================
.. Warning::
Even if this is probably the most secure way to authenticate,
a lot of clients do not support it. In addition, configuring
client certificates can also be hard to do for users.
This authentication mechanism is recommended for machine to
machine communication and experienced users.
Background Information
======================
TLS authentication happens when the HTTPS connection is set up and for
this reason you can not configure it per directory (this information has
not been received yet). If you want to use this authentication type in
a custom application, the nginx plugin configures nginx to send you
the required information like the CN).
Configuration
=============
First of all, you need a CA, a client and a server certificate.
Please create it like described in :doc:`sslvpn_client`. If you want,
that your VPN users can log into your application using the same certificate,
you may use the same CA.
.. image:: images/nginx_auth_tls.png
Next, choose the CA, the certificate and choose *on* as for client validation.
This will reject any connection by a client, who has no valid certificate.
Testing
=======
.. code-block:: none
curl https://192.168.1.1:444/file.txt --cacert ../MyOPNsenseCA.crt
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>
.. code-block:: none
curl https://192.168.1.1:444/file.txt --cert ../nginx_client_test_cert.crt --key ../nginx_client_test_cert.key --cacert ../MyOPNsenseCA.crt
Hello World