Nginx client certificate authentication: How to exclude an IP address

nginx ssl ssl-certificate reverse-proxy
8,413

This is my Solution:

server {
    listen                  443 ssl; 
    server_name             www.domain.com;
    ssl_certificate         /etc/nginx/ssl/domain/server.crt; 
    ssl_certificate_key     /etc/nginx/ssl/domain/server.key; 
    ssl_client_certificate  /etc/nginx/ssl/clients/client_ca.pem
    ssl_verify_client       optional;

    # Set global proxy settings
    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        Accept-Encoding "";


    location /
    {

    if ($remote_addr = 1.2.3.4 ) 
       {
        proxy_pass http://10.10.10.1; 
        break; 
       }

    if ($ssl_client_verify != "SUCCESS") 
       { return 403; }

    proxy_pass http://10.10.10.1;}

    error_log /var/log/nginx/domain-error.log;
    access_log /var/log/nginx/domain-access.log;
}

the ip 1.2.3.4 can acces the website without a client cert :-)

Share:
8,413

Related videos on Youtube

schaloml
Author by

schaloml

Updated on September 18, 2022

Comments

  • schaloml
    schaloml over 1 year

    I have Nginx running as a proxy to a web server and i want to securing Access using TLS/SSL Client Certificates.

    This is my ssl config

    server {
    listen                  443 ssl; 
    server_name             www.domain.com;
    ssl_certificate         /etc/nginx/ssl/domain/server.crt; 
    ssl_certificate_key     /etc/nginx/ssl/domain/server.key; 
    ssl_client_certificate  /etc/nginx/ssl/clients/client_ca.pem
    ssl_verify_client on;

    it works very good - but now i need to allow access to my site without client certificates from one specific IP address.

    is there a posibility to do this with nginx?

    thank you :-)

    • Drifter104
      Drifter104 over 8 years
      Have you had a look here? nginx.org/en/docs/http/ngx_http_access_module.html if you have and are still having problems include what you tried and how it didn't work
    • schaloml
      schaloml over 8 years
      I will try it with the satisfy command. Thank you!
    • schaloml
      schaloml over 8 years
      i tried this link ... but it didnt work...
  • schaloml
    schaloml over 8 years
    I cant config a second DNS-name - it should be the same DNS-Name from anywhere...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

NGINX + SSL certificate securing the connection in some browsers only
Which ssl certificates go where on an reverse proxy? - nginx
nginx - reverse proxy certificate authentication
Permissions for SSL key?
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
SSL_read() failed (SSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 error in nginx
Cannot connect to server via wss
How to send SSL certificate when nginx ssl_verify_client is optional?
Curl SSL error certificate has expired
nginx as ssl reverse proxy for wildfly