Skip to content

Commit d888ba6

Browse files
committed
Add template support for all host types to do client CA authorization
When an access list contains client CAs, the combined CA auth file is added to all location blocks via an `if` statement. This allows LetsEncrypt and other support paths to work, while correctly denying access to the protected resources.
1 parent 5c72908 commit d888ba6

File tree

4 files changed

+17
-7
lines changed

4 files changed

+17
-7
lines changed

backend/internal/access-list.js

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,6 @@ const internalAccessList = {
265265
}, true /* <- skip masking */);
266266
})
267267
.then((row) => {
268-
console.log(row);
269268
return internalAccessList.build(row)
270269
.then(() => {
271270
if (row.proxy_host_count) {
@@ -579,7 +578,6 @@ const internalAccessList = {
579578
});
580579

581580
const caCertificateBuild = new Promise((resolve, reject) => {
582-
// TODO: we need to ensure this rebuild is run if any certificates change
583581
logger.info('Building Client CA file #' + list.id + ' for: ' + list.name);
584582
let clientca_file = internalAccessList.getClientCAFilename(list);
585583

backend/internal/proxy-host.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ const internalProxyHost = {
7474
// re-fetch with cert
7575
return internalProxyHost.get(access, {
7676
id: row.id,
77-
expand: ['certificate', 'owner', 'access_list.[clients,items]']
77+
expand: ['certificate', 'owner', 'access_list.[clientcas.certificate,clients,items]']
7878
});
7979
})
8080
.then((row) => {
@@ -188,7 +188,7 @@ const internalProxyHost = {
188188
.then(() => {
189189
return internalProxyHost.get(access, {
190190
id: data.id,
191-
expand: ['owner', 'certificate', 'access_list.[clients,items]']
191+
expand: ['owner', 'certificate', 'access_list.[clientcas.certificate,clients,items]']
192192
})
193193
.then((row) => {
194194
if (!row.enabled) {
@@ -225,7 +225,7 @@ const internalProxyHost = {
225225
.query()
226226
.where('is_deleted', 0)
227227
.andWhere('id', data.id)
228-
.allowGraph('[owner,access_list,access_list.[clients,items],certificate]')
228+
.allowGraph('[owner,access_list.[clientcas.certificate,clients,items],certificate]')
229229
.first();
230230

231231
if (access_data.permission_visibility !== 'all') {
@@ -308,7 +308,7 @@ const internalProxyHost = {
308308
.then(() => {
309309
return internalProxyHost.get(access, {
310310
id: data.id,
311-
expand: ['certificate', 'owner', 'access_list']
311+
expand: ['certificate', 'owner', 'access_list.[clientcas.certificate]']
312312
});
313313
})
314314
.then((row) => {

backend/templates/_access.conf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,10 @@
11
{% if access_list_id > 0 %}
2+
{% if access_list.clientcas.size > 0 %}
3+
# TLS Client Certificate Authorization
4+
if ($ssl_client_verify != "SUCCESS") {
5+
return 403;
6+
}
7+
{% endif %}
28
{% if access_list.items.length > 0 %}
39
# Authorization
410
auth_basic "Authorization required";

backend/templates/_certificates.conf

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,10 @@
1111
ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
1212
{% endif %}
1313
{% endif %}
14-
14+
{% if access_list_id > 0 -%}
15+
{% if access_list.clientcas.size > 0 %}
16+
# Client Certificate Authorization ({{access_list.clientcas.size}} CAs)
17+
ssl_client_certificate /data/clientca/{{ access_list_id }};
18+
ssl_verify_client optional;
19+
{% endif %}
20+
{% endif %}

0 commit comments

Comments
 (0)