Hi everyone
I have to configure an administration area for a site. That administration area has to be authenticated with client certificates. The certificate subject is checked by a PHP application that either allows or denies access. Everything seems to work fine for GET requests but for POST requests I get 499 and 500 errors. It happens with any application I have tried: Shell in a box, Pydio, Zabbix, etc.
This is an excerpt of my nginx configuration:
...
proxy_intercept_errors on;
...
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client optional;
...
location /shell { # This is for Shell in a box
auth_request /admin/auth.php;
proxy_pass http://127.0.0.1:4200;
}
...
location /zabbix/ { # This is for Zabbix
auth_request /admin/auth.php;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm-as.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
expires max;
log_not_found off;
}
location ~ /\.ht {
deny all;
}
location ~ /\. {
deny all;
}
}
...
location /admin/auth.php {
internal;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/php5-fpm-as.sock;
}
...
This is a basic version of the auth.php file:
<?php
$response = 403; // Access forbidden by default
$subject = strtoupper($_SERVER["SSL_CLIENT_S_DN"]); // Certificate subject
$valid1 = "XXX1" // Let's just assume this is the valid subject on an accepted certificate
$valid2 = "XXX2" // Let's just assume this is the valid subject on an accepted certificate
if (!empty($subject)) {
switch ($subject) {
case $valid1:
case $valid2:
$response = 200;
break;
default:
$response = 401;
}
}
switch ($response) {
case 200:
header('Status: 200 OK', true, 200);
break;
case 401:
header('Status: 401 Unauthorized', true, 401);
break;
case 403:
header('Status: 403 Forbidden', true, 403);
break;
}
?>
Again, as stated above, everything seems to work fine for GET requests, but POST requests fail. Any idea?
Thanks in advance
I have to configure an administration area for a site. That administration area has to be authenticated with client certificates. The certificate subject is checked by a PHP application that either allows or denies access. Everything seems to work fine for GET requests but for POST requests I get 499 and 500 errors. It happens with any application I have tried: Shell in a box, Pydio, Zabbix, etc.
This is an excerpt of my nginx configuration:
...
proxy_intercept_errors on;
...
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client optional;
...
location /shell { # This is for Shell in a box
auth_request /admin/auth.php;
proxy_pass http://127.0.0.1:4200;
}
...
location /zabbix/ { # This is for Zabbix
auth_request /admin/auth.php;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm-as.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico)$ {
expires max;
log_not_found off;
}
location ~ /\.ht {
deny all;
}
location ~ /\. {
deny all;
}
}
...
location /admin/auth.php {
internal;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/php5-fpm-as.sock;
}
...
This is a basic version of the auth.php file:
<?php
$response = 403; // Access forbidden by default
$subject = strtoupper($_SERVER["SSL_CLIENT_S_DN"]); // Certificate subject
$valid1 = "XXX1" // Let's just assume this is the valid subject on an accepted certificate
$valid2 = "XXX2" // Let's just assume this is the valid subject on an accepted certificate
if (!empty($subject)) {
switch ($subject) {
case $valid1:
case $valid2:
$response = 200;
break;
default:
$response = 401;
}
}
switch ($response) {
case 200:
header('Status: 200 OK', true, 200);
break;
case 401:
header('Status: 401 Unauthorized', true, 401);
break;
case 403:
header('Status: 403 Forbidden', true, 403);
break;
}
?>
Again, as stated above, everything seems to work fine for GET requests, but POST requests fail. Any idea?
Thanks in advance