To address this issue, a "client-side SSL certificate" authentication mechanism is introduced to authenticate user access to the server website. The client certificate is managed on a per-user basis by a CA (Central Certification Authority) and can be revoked at any time. This blog will walk you though the Docker implementation of a Nginx "client-side SSL certificate" authentication.
Pre-Requisites:
- A Linux server with Docker engine installed. (preferably Ubuntu 17.04)
- git
- openssl
Creating and Signing Your Certs
If you already have your CA keys and CA certs, that's awesome, but in case you don't, I will quickly show you how to create a private one.1. Create the CA Key and Certificate for signing Client Certs
# openssl genrsa -out ca.key 2048 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2. Create the Server Key, CSR, and Certificate
# openssl genrsa -out server.key 2048 # openssl req -new -key server.key -out server.csr
3. Self signing our own server cert here, DO NOT self signing your cert for prod!
# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
4. Create the Client Key and CSR
# openssl genrsa -out client.key 2048 # openssl req -new -key client.key -out client.csr
5. Sign the client certificate with our CA cert.
# openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Checkout my modified version of Nginx-Proxy Docker container:
Nginx-Proxy Docker ContainerCreate a "nginx-proxy" Docker network
# docker network create nginx-proxy-public
Import all the certificates:
Go into the nginx-proxy folder:# cp ca.crt volumes/certs/ # cp server.key volumes/certs/ # cp server.key volumes/certs/
The "nginx.tmpl" file should auto detect these certificates and generate properate server configurations.
Start nginx-proxy container:
# docker-compose up -d
Check the Nginx is up and running
# docker-compose ps pixelcloud-nginx_proxy-docker_gen /usr/local/bin/docker-gen ... Up pixelcloud-nginx_proxy-lets_encrypt /bin/bash /app/entrypoint. ... Up pixelcloud-nginx_proxy-nginx nginx Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
Now your Nginx Proxy network is ready for "client side" SSL certificate authentication.
The line "195 ssl_verify_client on;" in "nginx.tmpl" is the main technique behind this. This tells nginx to verify to SSL certificate.
Now after this step, any other Docker containers you spin up and join the "nginx-proxy-public" will verify the client connections using "client side SSL certificate".
If the client doesn't have the client SSL certs imported into their brower when browsing the website, it will receive a "400 Bad Request" images like the following:
No comments:
Post a Comment