Fabio/nginx-proxy-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Add template support for all host types to do client CA authorization

Browse source 
When an access list contains client CAs, the combined CA auth file is
added to all location blocks via an `if` statement. This allows
LetsEncrypt and other support paths to work, while correctly denying
access to the protected resources.
This commit is contained in:
Will Rouesnel 2023-05-29 02:29:42 +10:00
parent fb766d14e9
commit 366efc8ac2
No known key found for this signature in database
GPG key ID: 72DC65802A1091C5
4 changed files with 17 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
backend/internal/access-list.js
View file

@ -264,7 +264,6 @@ const internalAccessList = {
}, true /* <- skip masking */);
})
.then((row) => {
console.log(row);
return internalAccessList.build(row)
.then(() => {
if (row.proxy_host_count) {
@ -603,7 +602,6 @@ const internalAccessList = {
});
const caCertificateBuild = new Promise((resolve, reject) => {
// TODO: we need to ensure this rebuild is run if any certificates change
logger.info('Building Client CA file #' + list.id + ' for: ' + list.name);
let clientca_file = internalAccessList.getClientCAFilename(list);

8
backend/internal/proxy-host.js
View file

@ -74,7 +74,7 @@ const internalProxyHost = {
// re-fetch with cert
return internalProxyHost.get(access, {
id: row.id,
expand: ['certificate', 'owner', 'access_list.[clients,items]']
expand: ['certificate', 'owner', 'access_list.[clientcas.certificate,clients,items]']
});
})
.then((row) => {
@ -188,7 +188,7 @@ const internalProxyHost = {
.then(() => {
return internalProxyHost.get(access, {
id: data.id,
expand: ['owner', 'certificate', 'access_list.[clients,items]']
expand: ['owner', 'certificate', 'access_list.[clientcas.certificate,clients,items]']
})
.then((row) => {
if (!row.enabled) {
@ -225,7 +225,7 @@ const internalProxyHost = {
.query()
.where('is_deleted', 0)
.andWhere('id', data.id)
.allowGraph('[owner,access_list,access_list.[clients,items],certificate]')
.allowGraph('[owner,access_list.[clientcas.certificate,clients,items],certificate]')
.first();
if (access_data.permission_visibility !== 'all') {
@ -308,7 +308,7 @@ const internalProxyHost = {
.then(() => {
return internalProxyHost.get(access, {
id: data.id,
expand: ['certificate', 'owner', 'access_list']
expand: ['certificate', 'owner', 'access_list.[clientcas.certificate]']
});
})
.then((row) => {

6
backend/templates/_access.conf
View file

@ -1,4 +1,10 @@
{% if access_list_id > 0 %}
{% if access_list.clientcas.size > 0 %}
# TLS Client Certificate Authorization
if ($ssl_client_verify != "SUCCESS") {
return 403;
}
{% endif %}
{% if access_list.items.length > 0 %}
# Authorization
auth_basic "Authorization required";

8
backend/templates/_certificates.conf
View file

@ -11,4 +11,10 @@
ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
{% endif %}
{% endif %}
{% if access_list_id > 0 -%}
{% if access_list.clientcas.size > 0 %}
# Client Certificate Authorization ({{access_list.clientcas.size}} CAs)
ssl_client_certificate /data/clientca/{{ access_list_id }};
ssl_verify_client optional;
{% endif %}
{% endif %}