Add client certificate support

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface

https://nginxproxymanager.com

MIT License

22.89k stars 2.66k forks source link

Add client certificate support #768

Open Likqez opened 3 years ago

Likqez commented 3 years ago

Implement client certificates

Is your feature request related to a problem? Please describe. I am securing my web applications with Cloudflare access. I did all the proxing through manual configuration of a nginx server. But because I am running more and more applications, I wanted to have a nice GUI like this from npm. As long npm does not support client certificates, I can not protect my website from unwanted access.

Describe the solution you'd like I would like a feature to upload an SSL Cert without a key. Which is currently not possible. And then use it inside a proxy host, to verify the clients certificate.

dmwilson1990 commented 3 years ago

With a bit of a workaround it is possible to do this. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:

      - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
      - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro

Inside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;

You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.

ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
  return 403;
}

Likqez commented 3 years ago

Thanks for the tip! Native support would be awesome tho :)

ybizeul commented 1 year ago

Tried @dmwilson1990 recommendation :

Command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] invalid condition "!~" in /etc/nginx/conf.d/include/client_cert.conf:3 nginx: configuration file /etc/nginx/nginx.conf test failed

That's the file content :

ssl_client_certificate /data/custom_ssl/tynsoe_ca.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=yann") {
  return 403;
}

EDIT: It might have been that I didn't have Safari sending the certificate, because I didn't have it in my keychain yet. I removed the block totally though, as I'm assuming it'll trust any CA generated certificate in that case

github-actions[bot] commented 5 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

CsBigDataHub commented 2 months ago

Yes this is a desired feature.

kintoxo commented 1 month ago

Please add built-in support for using user certificates in nginx-proxy-manager.

GregTheHun commented 1 month ago

I would also like this as well

metahertz commented 1 month ago

Please add your support for a working PR for this feature w/full UI support by @wrouesnel here: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956