I would like to use a X509 client authentication for a secure API access.
X509 certificates are generated by our CA (memberca).
The aim is that :
I think, I may be able to manage that directly in the Nginx configuration. How should I do that ?
Can I do it with Django ? So how should I do then ? Can I mach with either solution the certificate to a user ?
For instance can Nginx map some certificate data with a WSGI header so I can match my user ?
I already configured a similar setup.
First, I used Apache2 to authenticate the user.
You need to enable mod_ssl, and have to define (globally) :
Now your server is ready to verify a client X.509 certificate.
If you don't want to use apache2 as frontal web server, you can configure it as a reverse proxy by enabling mod_proxy.
You just need to define a virtualhost like this :
<VirtualHost *:443>
ServerName test.example.com:443
ServerAdmin [email protected]
RequestHeader set Front-End-Https "On"
# Here I define two headers, Auth-User and Remote-User
# They will contain the key SSL_CLIENT_S_DN_CN which is the name of the
# client certificate's owner.
<If "-n %{SSL_CLIENT_S_DN_CN}">
# If the key doesn't exist, it means that the certificate wasn't sent or
# it was revoked.
RequestHeader set Auth-User "%{SSL_CLIENT_S_DN_CN}s"
RequestHeader set Remote-User "%{SSL_CLIENT_S_DN_CN}s"
</If>
# Now enable SSL, and SSL via the proxy
SSLEngine on
SSLProxyEngine on
## Require a client certificate
# SSLVerifyClient require
## NB: I prefer set it to optional, in order to allow the user
## to connect to my application with a degraded mode (login+password)
## It's easy to detect if the user was authenticated by apache by looking
## at HTTP_AUTH_USER or HTTP_REMOTE_USER
SSLVerifyClient optional
# Maximum depth of CA Certificates in Client Certificate verification
SSLVerifyDepth 4
# Now, I pass all of this to my application, which is runned in nginx for example :
<Location />
ProxyPass http://<applciation host>
ProxyPassReverse http://<applciation host>
ProxyPreserveHost on
# Send all informations about the client/server certificates to the application
SSLOptions +StdEnvVars +ExportCertData
</Location>
</VirtualHost>
And now, with django, you just have to enable Remote Authentication backend as described here.
All informations extracted from the client certificate are sent to the application, so using the request object (and/or with middlewares) you can use them.
I hope it helped you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With