Nginx client certificate authentication: How to exclude an IP address
8,413
This is my Solution:
server {
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/domain/server.crt;
ssl_certificate_key /etc/nginx/ssl/domain/server.key;
ssl_client_certificate /etc/nginx/ssl/clients/client_ca.pem
ssl_verify_client optional;
# Set global proxy settings
proxy_read_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
location /
{
if ($remote_addr = 1.2.3.4 )
{
proxy_pass http://10.10.10.1;
break;
}
if ($ssl_client_verify != "SUCCESS")
{ return 403; }
proxy_pass http://10.10.10.1;}
error_log /var/log/nginx/domain-error.log;
access_log /var/log/nginx/domain-access.log;
}
the ip 1.2.3.4 can acces the website without a client cert :-)
Related videos on Youtube
Author by
schaloml
Updated on September 18, 2022Comments
-
schaloml over 1 year
I have Nginx running as a proxy to a web server and i want to securing Access using TLS/SSL Client Certificates.
This is my ssl config
server { listen 443 ssl; server_name www.domain.com; ssl_certificate /etc/nginx/ssl/domain/server.crt; ssl_certificate_key /etc/nginx/ssl/domain/server.key; ssl_client_certificate /etc/nginx/ssl/clients/client_ca.pem ssl_verify_client on;
it works very good - but now i need to allow access to my site without client certificates from one specific IP address.
is there a posibility to do this with nginx?
thank you :-)
-
Drifter104 over 8 yearsHave you had a look here? nginx.org/en/docs/http/ngx_http_access_module.html if you have and are still having problems include what you tried and how it didn't work
-
schaloml over 8 yearsI will try it with the satisfy command. Thank you!
-
schaloml over 8 yearsi tried this link ... but it didnt work...
-
-
schaloml over 8 yearsI cant config a second DNS-name - it should be the same DNS-Name from anywhere...