From 6889132dfcee1c3fd5ec6fa8f65cdec439a4664b Mon Sep 17 00:00:00 2001 From: William Dix Date: Sun, 14 Dec 2014 21:24:22 -0500 Subject: [PATCH 1/4] Adds ability to add client auth to SSL proxy. --- nginx.tmpl | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 3747678..647da63 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -71,6 +71,9 @@ upstream {{ $host }} { {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} +{{/* Get the first SSL_VERIFY_CLIENT defined by containers w/ the same vhost */}} +{{ $sslVerifyClient := (first (groupByKeys $containers "Env.SSL_VERIFY_CLIENT")) }} + {{/* Get the best matching cert by name for the vhost. */}} {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}} @@ -102,10 +105,18 @@ server { ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }}; ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }}; + {{ if $sslVerifyClient }} + ssl_verify_client {{ (printf "%s" $sslVerifyClient) }}; + ssl_client_certificate /etc/nginx/certs/{{ (printf "%s.cacert.pem" $cert) }}; + {{ end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { - proxy_pass http://{{ $host }}; + {{ if $sslVerifyClient }} + proxy_set_header Subject-Name $ssl_client_s_dn; + {{ end } + proxy_pass http://{{ $host }}; } } {{ else }} From 5fd333c11ed4574eb41264a0df7a1a4bca005591 Mon Sep 17 00:00:00 2001 From: William Dix Date: Sun, 14 Dec 2014 21:29:01 -0500 Subject: [PATCH 2/4] fixes typo in nginx.tmpl --- nginx.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 647da63..d371dc5 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -115,7 +115,7 @@ server { location / { {{ if $sslVerifyClient }} proxy_set_header Subject-Name $ssl_client_s_dn; - {{ end } + {{ end }} proxy_pass http://{{ $host }}; } } From f27be7b348fa38999c1e732d95d5b9c3b7453125 Mon Sep 17 00:00:00 2001 From: William Dix Date: Tue, 16 Dec 2014 10:09:37 -0500 Subject: [PATCH 3/4] Update nginx.tmpl to make use of additional environment variables for specifying client CA name and additional location options. --- nginx.tmpl | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/nginx.tmpl b/nginx.tmpl index d371dc5..93fe67e 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -70,6 +70,9 @@ upstream {{ $host }} { {{/* Get the first cert name defined by containers w/ the same vhost */}} {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} +{{ $clientCAName := (first (groupByKeys $containers "Env.CLIENT_CA_NAME")) }} + +{{ $locationOptions := (split (trimSuffix "]" (trimPrefix "[" (first (groupByKeys $containers "Env.SSL_LOCATION_OPTIONS")))) ",") }} {{/* Get the first SSL_VERIFY_CLIENT defined by containers w/ the same vhost */}} {{ $sslVerifyClient := (first (groupByKeys $containers "Env.SSL_VERIFY_CLIENT")) }} @@ -107,14 +110,14 @@ server { {{ if $sslVerifyClient }} ssl_verify_client {{ (printf "%s" $sslVerifyClient) }}; - ssl_client_certificate /etc/nginx/certs/{{ (printf "%s.cacert.pem" $cert) }}; + ssl_client_certificate /etc/nginx/certs/{{ (printf "%s" $clientCAName) }}; {{ end }} add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { - {{ if $sslVerifyClient }} - proxy_set_header Subject-Name $ssl_client_s_dn; + {{ range $option := $locationOptions }} + {{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }}; {{ end }} proxy_pass http://{{ $host }}; } @@ -125,7 +128,10 @@ server { server_name {{ $host }}; location / { - proxy_pass http://{{ $host }}; + {{ range $option := $locationOptions }} + {{ (trimSuffix "'" (trimPrefix "'" (printf "%s" $option))) }}; + {{ end }} + proxy_pass http://{{ $host }}; } } From 517807dd2c9a535192c3e6725a7cf8d08330538f Mon Sep 17 00:00:00 2001 From: William Dix Date: Tue, 16 Dec 2014 20:48:37 -0500 Subject: [PATCH 4/4] Update readme to include additional options. Update env variable for additional directives in location declaration naming. --- README.md | 9 +++++++++ nginx.tmpl | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1371fba..008ce23 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,15 @@ hosts in use. The certificate and keys should be named after the virtual host w `.key` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory. +#### Further Nginx configuration + +In order to enable SSL client verification, start the containers with `SSL_VERIFY_CLIENT` environment variable and use +`CLIENT_CA_NAME` to specify the name of the SSL Client Certificate Authority file to use. + +You can also specify additional configuration information to be used within the location declaration, by specifying the +`LOCATION_OPTIONS` environment variable. Directives are separated with commas. + + #### Wildcard Certificates Wildcard certificates and keys should be name after the domain name with a `.crt` and `.key` extension. diff --git a/nginx.tmpl b/nginx.tmpl index 93fe67e..e1a6570 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -72,7 +72,7 @@ upstream {{ $host }} { {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }} {{ $clientCAName := (first (groupByKeys $containers "Env.CLIENT_CA_NAME")) }} -{{ $locationOptions := (split (trimSuffix "]" (trimPrefix "[" (first (groupByKeys $containers "Env.SSL_LOCATION_OPTIONS")))) ",") }} +{{ $locationOptions := (split (trimSuffix "]" (trimPrefix "[" (first (groupByKeys $containers "Env.LOCATION_OPTIONS")))) ",") }} {{/* Get the first SSL_VERIFY_CLIENT defined by containers w/ the same vhost */}} {{ $sslVerifyClient := (first (groupByKeys $containers "Env.SSL_VERIFY_CLIENT")) }}