feat: support for non-optional cert (generic only)

2025-12-06 05:41:35 +01:00 · 2024-01-21 19:04:40 +00:00
parent c136721137
commit de148b1686
2 changed files with 7 additions and 0 deletions
--- a/templates/nginx_server_block.conf.j2
+++ b/templates/nginx_server_block.conf.j2
@@ -17,7 +17,11 @@ server{

    {% if cert_optional %}
    ssl_client_certificate ca_cert.pem;
+    {% if cert_non_optional %}
+    ssl_verify_client on;
+    {% else %}
    ssl_verify_client optional;
+    {% endif %}
    ssl_verify_depth 1;
    {% endif %}
    
--- a/vm.py
+++ b/vm.py
@@ -144,12 +144,15 @@ class VM:
                header_line = "proxy_set_header X-Nginx-Cert-Auth false;"
                cert_optional = False

+            cert_non_optional = subdomain.get("cert-non-optional") or False
+
            component = template.render(targetip=self.ip, targetport=targetport, 
                            servernames=[subdomain["name"]], comment=compositeName,
                            proxy_pass_blob=self.proxy_pass_blob, acme=not self.noTerminateACME,
                            basicauth=subdomain.get("basicauth"),
                            extra_location=subdomain.get("extra-location"),
                            cert_optional=cert_optional,
+                            cert_non_optional=cert_non_optional,
                            cert_header_line=header_line)
            components.append(component)