116 lines
1.9 KiB
Markdown
116 lines
1.9 KiB
Markdown
---
|
|
title: Howto SSL authentification
|
|
categories: security
|
|
...
|
|
|
|
[SSL/TLS](HowtoSSL) est un protocole de sécurisation des échanges réseau.
|
|
Il est principalement connu pour le chiffrement de contenu entre client et serveur et l'authentificaton des dits serveurs.
|
|
Ce que l'on sait moins, c'est que SSL/TLS permet aussi l'authentification des clients et propose ainsi une alternatives aux mots de passe.
|
|
|
|
* <https://www.openssl.org/docs/>
|
|
|
|
## Installation
|
|
|
|
~~~
|
|
# apt install openssl
|
|
|
|
$ openssl version
|
|
OpenSSL 1.0.2h 3 May 2016
|
|
~~~
|
|
|
|
## Coté serveur
|
|
|
|
### Apache
|
|
|
|
~~~
|
|
SSLCACertificateFile /etc/ssl/certs/CA.pem
|
|
SSLVerifyClient optional
|
|
#SSLVerifyClient require
|
|
SSLOptions +FakeBasicAuth
|
|
~~~
|
|
|
|
### Nginx
|
|
|
|
/etc/nginx/sites-enabled/vhostname
|
|
|
|
~~~
|
|
ssl_client_certificate /etc/ssl/certs/CA.pem;
|
|
ssl_verify_client optional;
|
|
#ssl_verify_client on;
|
|
~~~
|
|
|
|
/etc/nginx/conf.d/ssl-client.conf
|
|
|
|
~~~
|
|
map $ssl_client_s_dn $ssl_client_s_cn
|
|
{
|
|
default "";
|
|
~/CN=(?<CN>[^/]+) $CN;
|
|
}
|
|
~~~
|
|
|
|
Authentification via proxy :
|
|
|
|
~~~
|
|
proxy_set_header X-Authenticated-User $ssl_client_s_cn;
|
|
~~~
|
|
|
|
Authentification via fastcgi :
|
|
|
|
~~~
|
|
fastcgi_param REMOTE_USER $ssl_client_s_cn;
|
|
~~~
|
|
|
|
### Dovecot
|
|
|
|
/etc/dovecot/conf.d/10-ssl.conf
|
|
|
|
~~~
|
|
ssl = yes
|
|
ssl_ca = /etc/ssl/certs/CA.pem
|
|
ssl_cert_username_field = commonName
|
|
~~~
|
|
|
|
/etc/dovecot/conf.d/10-auth.conf
|
|
|
|
~~~
|
|
auth_ssl_require_client_cert = yes
|
|
auth_ssl_username_from_cert = yes
|
|
passdb {
|
|
driver = passwd-file
|
|
args = /etc/dovecot/passwd-file
|
|
|
|
deny = no
|
|
master = no
|
|
pass = no
|
|
}
|
|
~~~
|
|
|
|
/etc/dovecot/passwd-file
|
|
|
|
~~~
|
|
jdoe:{plain}::::::nopassword
|
|
~~~
|
|
|
|
## Coté application web
|
|
|
|
### Gogs / Gitea
|
|
|
|
app.ini
|
|
|
|
~~~
|
|
[security]
|
|
REVERSE_PROXY_AUTHENTICATION_USER = X-Authenticated-User
|
|
|
|
[service]
|
|
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
|
|
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
|
~~~
|
|
|
|
## Coté client
|
|
|
|
### Curl
|
|
|
|
~~~
|
|
curl --cert ./client.crt --key ./client.key -u "user:pass" "https://example.com"
|
|
~~~ |