|
|
@ -24,15 +24,41 @@ OpenSSL 1.0.2h 3 May 2016 |
|
|
|
|
|
|
|
~~~ |
|
|
|
SSLCACertificateFile /etc/ssl/certs/CA.pem |
|
|
|
SSLVerifyDepth 1 |
|
|
|
SSLVerifyClient require |
|
|
|
SSLVerifyClient optional |
|
|
|
#SSLVerifyClient require |
|
|
|
SSLOptions +FakeBasicAuth |
|
|
|
~~~ |
|
|
|
|
|
|
|
### Nginx |
|
|
|
|
|
|
|
/etc/nginx/sites-enabled/vhostname |
|
|
|
|
|
|
|
~~~ |
|
|
|
ssl_client_certificate /etc/ssl/certs/CA.pem; |
|
|
|
ssl_verify_client require; |
|
|
|
ssl_verify_client optional; |
|
|
|
#ssl_verify_client on; |
|
|
|
~~~ |
|
|
|
|
|
|
|
/etc/nginx/conf.d/ssl-client.conf |
|
|
|
|
|
|
|
~~~ |
|
|
|
map $ssl_client_s_dn $ssl_client_s_cn |
|
|
|
{ |
|
|
|
default ""; |
|
|
|
~/CN=(?<CN>[^/]+) $CN; |
|
|
|
} |
|
|
|
~~~ |
|
|
|
|
|
|
|
Authentification via proxy : |
|
|
|
|
|
|
|
~~~ |
|
|
|
proxy_set_header X-Authenticated-User $ssl_client_s_cn; |
|
|
|
~~~ |
|
|
|
|
|
|
|
Authentification via fastcgi : |
|
|
|
|
|
|
|
~~~ |
|
|
|
fastcgi_param REMOTE_USER $ssl_client_s_cn; |
|
|
|
~~~ |
|
|
|
|
|
|
|
### Dovecot |
|
|
@ -66,6 +92,21 @@ passdb { |
|
|
|
jdoe:{plain}::::::nopassword |
|
|
|
~~~ |
|
|
|
|
|
|
|
## Coté application web |
|
|
|
|
|
|
|
### Gogs / Gitea |
|
|
|
|
|
|
|
app.ini |
|
|
|
|
|
|
|
~~~ |
|
|
|
[security] |
|
|
|
REVERSE_PROXY_AUTHENTICATION_USER = X-Authenticated-User |
|
|
|
|
|
|
|
[service] |
|
|
|
ENABLE_REVERSE_PROXY_AUTHENTICATION = true |
|
|
|
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false |
|
|
|
~~~ |
|
|
|
|
|
|
|
## Coté client |
|
|
|
|
|
|
|
### Curl |
|
|
|