Cert Authentication on Nginx

If you are like me then one of your biggest pet peeve’s with Nginx is its lack of authentication methods like those so easily accessible in Apache. Beyond that, if you would like to add an authentication method to Nginx, it will typically require a recompile. If you are running Debian or Ubuntu then I would like to introduce you to nginx-extras. The package nginx-extras is compiled with all the standard modules as well as some very useful extras which are listed here.  So without further ado, first we will have to ensure that we have the required package which is nginx-extras.

apt-get install nginx-extras

Once the required packages are installed we can start configuring our virtual host. Configuring Nginx for certificate based authentication is fairly strait forward and as simple as adding your certificate paths in the /etc/sites-availible/[Your-Website].conf file as seen below. Once the configuration changes have been made, you must restart the nginx service.

ssl_client_certificate /etc/nginx/ssl/client/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;

It is important to note that for this tutorial I used the CA and Certificates that are generated in Pfsense Firewall for use with OpenVPN Server. The following options are available for ssl_verift_client.

Syntax: ssl_verify_client on | off | optional | optional_no_ca;
Default: ssl_verify_client off;
Context: http, server

When it is all said and done, if you followed the tutorial, when navigating to your certificate enabled site you will now have the option of choosing an installed certificate.

If you are looking for other authentication methods using nginx, please see our companion articles AD/LDAP Authentication on Nginx and MySQL Authentication on Nginx

Did you find this article useful? Why not share it with your friends?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.