dmwilson1990
commented
2 years ago With a bit of a workaround it is possible to do this. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:
- /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
- /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:roInside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;
You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.
ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
return 403;
}
github-actions[bot]
Hello, Is it possible to enable "ssl_verify_client on" functionality? Enabling it on the "advanced" tab the proxy host goes offline.
Thank you.
Edit: Log error: ==> /opt/nginx-proxy-manager/log/nginx/error.log <== 2019/07/24 14:18:57 [error] 2262#2262: *4512 SSL_do_handshake() failed (SSL: error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: x.x.x.x, server: x.x.x, request: "GET /favicon.ico HTTP/1.1", upstream: "https://x.x.x.x/favicon.ico", host: "x.x.x", referrer: "https://x.x.x/"