feat: support for cert based authentication

2025-12-06 05:41:35 +01:00 · 2023-05-28 17:25:25 +02:00
parent 7567dbaa4b
commit 09c37b2a65
5 changed files with 35 additions and 1 deletions
--- a/nginx.py
+++ b/nginx.py
@@ -63,9 +63,12 @@ def dump_config(vmList, masterAddress):
    with open("/etc/nginx/nginx.conf", "w") as f:

        with open("./config/nginx.json") as j:
+
            nginxJson = json.load(j)
            env = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
            template = env.get_template("nginx.conf.j2")
+            mapsTemplate = env.get_template("nginx_maps.j2")
+            nginxJson["maps"] = mapsTemplate.render()
            content = template.render(nginxJson)

            f.write(content)
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -11,6 +11,8 @@ events {

 http {

+    {{ maps }}
+
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
--- a/templates/nginx_maps.j2
+++ b/templates/nginx_maps.j2
@@ -0,0 +1,10 @@
+map $ssl_client_s_dn $allow_group_main {
+    default "";
+    ~CN=Sheppy2 true;
+    ~CN=Kathi true;
+}
+
+map $ssl_client_s_dn $allow_group_ths {
+    default "";
+    ~OU=THS true;
+}
--- a/templates/nginx_server_block.conf.j2
+++ b/templates/nginx_server_block.conf.j2
@@ -13,6 +13,12 @@ server{

    listen 80;
    listen [::]:80;
+
+    {% if cert_optional %}
+    ssl_client_certificate ca_cert.pem;
+    ssl_verify_client optional;
+    ssl_verify_depth 1;
+    {% endif %}
    
    {% if extra_location %}
    location {{ extra_location["location"] }} {
@@ -28,6 +34,7 @@ server{
        proxy_pass http://{{ targetip }}:{{ targetport }};
        proxy_set_header Host $http_host;
        {{ proxy_pass_blob }}
+        {{ cert_header_line }}
        {% if basicauth %}
        auth_basic "{{ basicauth }}";
        auth_basic_user_file /etc/nginx/{{ basicauth }}.htpasswd;
--- a/vm.py
+++ b/vm.py
@@ -134,11 +134,23 @@ class VM:

            compositeName = "-".join((self.hostname, subdomain["name"].replace(".","-")))
            targetport = subdomain.get("port") or 80
+            
+            # build cert group #
+            if subdomain.get("cert-group"):
+                cert_group_name = subdomain.get("cert-group")
+                header_line = "proxy_set_header X-Nginx-Cert-Auth $allow_group_{};".format(cert_group_name)
+                cert_optional = True
+            else:
+                header_line = "proxy_set_header X-Nginx-Cert-Auth false;"
+                cert_optional = False
+
            component = template.render(targetip=self.ip, targetport=targetport, 
                            servernames=[subdomain["name"]], comment=compositeName,
                            proxy_pass_blob=self.proxy_pass_blob, acme=not self.noTerminateACME,
                            basicauth=subdomain.get("basicauth"),
-                            extra_location=subdomain.get("extra-location"))
+                            extra_location=subdomain.get("extra-location"),
+                            cert_optional=cert_optional,
+                            cert_header_line=header_line)
            components.append(component)

        return components