Mutual TLS nginx, restricting certain users/groups?

Ryan

2/10/23, 12:42 AM

I have a route that is restricted using client certs signed by my CA in Nginx. It's working well, but allows anyone with a cert than I sign to enter. Is it possible to restrict based on users/groups/roles instead, maybe from a header or something?

Currently, I have something basic:

        location / {
                if ($ssl_client_verify != SUCCESS) {
                        return 403;
                }

0 + 0

ssl

nginx

Ivan Shatsky

2/10/23, 3:10 AM

I don't quite understand what users or groups do you mean, if you want to use some information from certificate as user/group name, you can check [this](https://stackoverflow.com/questions/64897935/trouble-with-proxypass-of-remote-user-from-nginx-to-django) SO thread.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Mutual TLS nginx, restricting certain users/groups?

TH: TLS nginx ร่วมกัน จำกัด ผู้ใช้ / กลุ่มบางกลุ่มหรือไม่

RO: Nginx TLS reciproc, restricționând anumiți utilizatori/grupuri?

RU: Взаимный TLS nginx, ограничивающий определенных пользователей/групп?

VI: TLS nginx lẫn nhau, hạn chế một số người dùng/nhóm nhất định?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.