On Sun, Aug 25, 2013 at 08:53:57AM +0200, Christian Felsing wrote: Hi there,
> Nginx should be used as a reverse proxy and configured for client > certificate authentication. Backoffice application supports basic auth only. > Apache 2.4 solution for that kind of problems is "Fake Basic Auth" so > backoffice application gets a remote_user and password generated from > client certificate presented by user. So, in nginx and http terms, at the point where you "proxy_pass http://backoffice";, you also want to "proxy_set_header Authorization" with the correct value. The correct value is "Basic " followed by the base64-encoding of user:pass, where "user" and "pass" are respectively the username and password that you want the backoffice application to see. Presumably you have a method of deriving the username from the client certificate, and you have a method for deriving the password for this username. I'm not aware of a distribution-nginx-config way of doing the base64 encoding. You could try using a part of a third-party module like http://wiki.nginx.org/HttpSetMiscModule, or perhaps you could use one of the language modules to do the conversion. (Or you could write a dedicated module to just do exactly what you want.) Another option, if you have a fixed set of client certificates, could be to use a "map" to hardcode the Authorization header value for each certificate, and then use that variable in the "proxy_set_header" line -- that would not need anything extra from nginx; and, as a bonus, whatever method you have to turn the certificate into a username can be opaque to nginx, so it can be as complicated as you like. f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
