Join Log in
Score:-1
sqra avatar Server

I try to use nginx as a reverse proxy with validating client certifikate and I want to check OU in client certificate. Always return 404

td flag
sqra

Here is my configuration.

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name _;

        ssl_certificate /etc/ssl/certs/nginx-self.crt;
        ssl_certificate_key /etc/ssl/private/nginx-self.key;
        ssl_client_certificate /etc/nginx/client_cert/ttca.pem;
        ssl_verify_client on;
        ssl_verify_depth 1;
        
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;

               if ( $ssl_client_s_dn ~ "MyOU" ) {
                        proxy_pass https://192.168.210.108;
                }
               return 404;
        }
}
41
1 + 6
in flag
Gerald Schneider
[if in location is evil](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)
2
Reply
sqra avatar
td flag
sqra
so how to do it?
0
Reply
ws flag
symcbean
No idea why this is not working. But you might want to use `$ssl_client_verify` in your conditional rather than `$ssl_client_s_dn` unless you have lots of CA certs you don't accept in ttca.pem. Adding $ssl_client_s_dn to the CGI vars (and/or some of the other $ssl_ vars) might be helpful in debugging.
0
Reply
ws flag
symcbean
Did you check that the 404 is coming from nginx and not the origin server?
0
Reply
sqra avatar
td flag
sqra
404 is coming from nginx. When I coment #return 404 it works ok. I get my site https://192.168.210.108
0
Reply
sqra avatar
td flag
sqra
"But you might want to use $ssl_client_verify in your conditiona" - no. I want to check OU olso and I want diferent redirection to diferent OU
0
Reply
Score:1
Ginnungagap avatar Server
gu flag
Ginnungagap

You likely need a break; in your if block.

As it stands, the if implicit location inherits the return 404; from the outer block and since return trumps proxy_pass you still only get a 404.

if in location blocks is extremely peculiar and I'd highly recommend you avoid it unless you read the various docs and examples very carefully, including the one Gerald linked which I'm guessing you only read the title of.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.