User Tools

Site Tools


pki:nginx_config

Configure NGINX for IoT_pki

IoT_pki needs to work behind a proxy server such as NGINX to enable the verification of client certificates.

Include the following in your

NGINX configuration file

Note that there are two CA certificates, which should not be confused. The ssl_certificate is a certificate which identifies your web server, and may or maynot be signed by a certification authority such as verisign or lets encrypt.

The ssl_client_certificate is the CA certificate which has signed your client certificates which you must create as shown in Creating a Certificate Authority.

If you renew your CA certificate, and need to accept client certificates signed by different CAs then you can create a certificates.pem file which simply has copy-pasted in all of the pem encoded certificates, one after the other using a text editor.

server {

    listen 443;#always use ssl
    server_name pki.myserver.com;

    ssl on;
    ssl_certificate /etc/ssl/myCA/myserver.com.pem;#this is for SSL,not for verifying your clients!
    ssl_certificate_key /etc/ssl/myCA/myserver.com.key;#this is for SSL

    ssl_client_certificate /home/certs/theCAs_made_By_IoT_pki.pem;#this must be the ca_cert(s) which has signed your clients
    #ssl_crl /home/jmm/myCA/private/ca.crl;#location of revocation list
    ssl_verify_client optional;#we use optional and the application then checks on your status
    ssl_verify_depth 2;
    ssl_session_timeout 5m;
    #disallow insecure ssl protocols and cyphers
    ssl_protocols  SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    server_name secret.myserver.com;
    # Maximum file upload size is 4MB - change accordingly if needed
    client_max_body_size 4M;
    client_body_buffer_size 128k;


    root /var/www/html;
    index  index.php index.html index.htm;


    location /{

        proxy_pass http://localhost:8000/;#point this to your django server
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_connect_timeout 60;
        proxy_read_timeout 90;
        # SSL settings for django-ssl-client-auth
        proxy_set_header X-SSL-User-DN $ssl_client_s_dn;
        proxy_set_header X-SSL-Authenticated $ssl_client_verify;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Rest-API 0; # Change to 1 to bypass
        proxy_set_header X-SSL-Client-Serial $ssl_client_serial;


    }
}

NGINX Configuration X509 certificates with uWSGI and Django

If you are using uWSGI for your Django server, then to verify the X509 certificates we must replace proxy_set_header with uwsgi param.

Also note that uwsgi param requires that the variable passed is entirely in capital letters and uses underscores instead of hyphens.

The variables set in uwsgi param are being accessed from Django with a statement like this:

client_verify=request.META['HTTP_X_SSL_AUTHENTICATED']

This variable will return NONE if no client cert is supplied or “SUCCESS”, “FAILED:reason”

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name app.zibawa.com;
    ssl on;
    ssl_certificate /etc/ssl/myCA/myserver.com.pem;#this is for SSL,not for verifying your clients!
    ssl_certificate_key /etc/ssl/myCA/myserver.com.key;#this is for SSL
    #pki
    ssl_client_certificate /home/zibawa/pki/certs/currentnginx_ca.pem;#this must be the ca_cert(s) which has signed your clients
    #ssl_crl /home/jmm/myCA/private/ca.crl;#location of revocation list
    ssl_verify_client optional;#we use optional and the application then checks on your status
    ssl_verify_depth 2;

    # Maximum file upload size is 4MB - change accordingly if needed
    client_max_body_size 4M;
    client_body_buffer_size 128k;
    charset     utf-8;
    root /var/www/html;
    index index.html index.htm;

  # Django media
    location /media  {
        alias /var/www/html/zibawa/media;  # your Django project's media files - amend as required
    }

    location /static {
        alias /var/www/html/zibawa/static; # your Django project's static files - amend as required
    }



 # Finally, send all non-media requests to the Django server.
    location / {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params; # the uwsgi_params file usually installed with nginx
        #below used to pass ssl certificate parameters to uwsgi 
        uwsgi_param HTTP_X_SSL_USER_DN $ssl_client_s_dn;
        uwsgi_param HTTP_X_SSL_AUTHENTICATED $ssl_client_verify;
        uwsgi_param HTTP_X_REAL_IP $remote_addr;
        uwsgi_param HTTP_X_SSL_CLIENT_SERIAL $ssl_client_serial;




    }


}
pki/nginx_config.txt · Last modified: 2017/07/25 10:56 by matt