Hello! On Mon, Sep 07, 2015 at 08:18:29PM +0300, Andrey Kulikov wrote:
> Hello, > > Nginx SSL module allow to use some variables: > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables > But sometimes tey are not enough. > > Please find attached patch, adding two more: > $ssl_client_not_before - Validity date from client certificate 'Not Before' > $ssl_client_not_after - Validity date from client certificate 'Not After' > > After applying changes you may use them in configuration along with other > variables: > > location /test_headers/ { > proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial; > proxy_set_header X-ClientCert-NotBefore $ssl_client_not_before; > proxy_set_header X-ClientCert-NotAfter $ssl_client_not_after; > proxy_pass http://192.168.88.156/; > } > > And it will appears in (in this case) in proxied content in the following > form: > > X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F > X-ClientCert-NotBefore: Jul 9 22:20:31 2015 GMT > X-ClientCert-NotAfter: Oct 9 22:30:31 2015 GMT > > > Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4. > > Feel free to ask any questions regarding this matter. How do you expect these variables to be used? For some form of warning like "your certificate will expire soon, please update it"? Note that validity of the certificate was already checked at this point, these fields in particular, and that's not something a backend server needs to test. See also http://nginx.org/en/docs/contributing_changes.html for some hints on how we would prefer submissions to be done. [...] > + return NGX_OK; > +} > + > +ngx_int_t > +ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool, > ngx_str_t *s) Two empty lines between functions, please. [...] > + return NGX_OK; > +} > + > +ngx_int_t > ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) Same here. [...] > --- a/src/http/modules/ngx_http_ssl_module.c > +++ b/src/http/modules/ngx_http_ssl_module.c > @@ -307,6 +307,12 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = { > { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, > (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, > > + { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable, > + (uintptr_t) ngx_ssl_get_client_not_before, NGX_HTTP_VAR_CHANGEABLE, 0 > }, > + > + { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable, > + (uintptr_t) ngx_ssl_get_client_not_after, NGX_HTTP_VAR_CHANGEABLE, 0 }, > + > { ngx_null_string, NULL, NULL, 0, 0, 0 } > }; It should be better to put these variables after $ssl_client_serial, much like the functions itself. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
