undefined | Better HN

0 pointsspilk9y ago0 comments

Is the certificate or its parameters (subject/issuer/alt names/etc) available to set downstream headers (for proxy/fastcgi)? I'm sure I'm missing it, but can't see anything like that in the docs. Or is this something that is more suitable for a plugin?

0 comments

2 comments · 1 top-level

mholt9y ago· 1 in thread

I'm not sure I understand the question. You want a TLS certificate to set HTTP headers?

spilkOP9y ago

Yes - X.509 client certificates are the authentication mechanism (TLS mutual authentication). How this generally works with other HTTP servers (i.e. nginx) is the proxy validates that the client's certificate are issued by a given authority and valid/not revoked, then injects headers with the certificate subject or other certificate fields (commonly a UPN in the subject alternative name) to tell the proxied application the identity of the user. nginx's TLS implementation populates variables with the various client certificate variables for use elsewhere (the $ssl_client* variables here: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#varia... )

In other cases, the entire client certificate is injected into a header (in PEM format) for the downstream application to process as it pleases.

This is a common use case in US Government since everyone carries X.509 certificates around their neck (ID badge is also a PIV smartcard). US Government usually implements this with F5 BIG-IP appliances but I usually use nginx.

j / k navigate · click thread line to collapse