How to setup Nginx TLS certificate based Authentication (VPN alternative)
-
@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
What about mobile devices? I assume you can install the certificate there as well?
-
@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
This is very cool!
Can I revoke a client certificate? Say if the employee leaves the company?
Good question, going back to another guide I saw had this article:
https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
Revoking Certificates
On one final note, as with all exercises, it’s important to be practical and know that things change. Inevitably there will come a time when someone leaves your team and their certificate needs to be invalidated. Running the following script with the correct username will add the user’s certificate to the revocation list and ensure that they can no longer access the site:
openssl ca -name CA_Default -revoke /etc/ssl/ca/certs/users/USERNAME.crt -keyfile /etc/ssl/ca/private/ca.key -cert /etc/ssl/ca/certs/ca.crt openssl ca -name CA_Default -gencrl -keyfile /etc/ssl/ca/private/ca.key -cert /etc/ssl/ca/certs/ca.crt -out /etc/ssl/ca/private/ca.crl -crldays 1095I dont know why he posted 2 commands, it seems the first one does the trick.
-
@emad-r because you only link a single cert in the nginx config.
So once you revoke one user, you need to rebuild the full cert with that user excluded.
-
If you are trying this and testing it out with Chrome without success, please make sure to test and exit chrome completely then open it again and check if the results changed or not.
-
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
-
@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
Simply use a different URL for the restricted pages versus open pages.
secure.domain.com vs www.domain.comOnly have the client certs in the nginx config for the secure.domain.com server block.
Both blocks can still be SSL.
Which i might add, is why he should have put everything in separate config files and not screw up the default nginx.conf
-
@jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
Simply use a different URL for the restricted pages versus open pages.
secure.domain.com vs www.domain.comOnly have the client certs in the nginx config for the secure.domain.com server block.
Both blocks can still be SSL.
Nice! Didn't think of using a sub-domain. Definitely going to have to give this a try.
-
@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.
Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.
So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.
-
It's official, I'm NEVER getting through my to-do list. Must stop coming here. Lol
-
@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
Now I needed to manually add the ca.crt file to "/etc/pki/tls/certs/ca-bundle.crt" (this took days of research)...
So copy the contents of "/etc/pki/nginx/ca.crt" and paste it at the end of "/etc/pki/tls/certs/ca-bundle.crt" Finally restart nginx# Append the ca.crt to the ca-bundle.crt cat /etc/pki/nginx/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt -
@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.
Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.
So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.
You will also now have to replace client certificates yearly.
-
Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.
What I did I install Fedora LXDE spin
Then installed ontop of that VNC on port 5901 made it run on local host
Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.stay with me.
Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security
It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:
with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.
-
@jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).
Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.
Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.
So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.
You will also now have to replace client certificates yearly.
But that is good security practice as well. I will know when this happens when they all complain the same time about site access
no need to set reminder -
@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.
What I did I install Fedora LXDE spin
Then installed ontop of that VNC on port 5901 made it run on local host
Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.stay with me.
Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security
It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:
with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.
I prefer using Guacamole for all my remote access needs but I think I'll definitely implement something like this to restrict access to my own staff.
-
Couldn't I change the number of days to something longer?
-
@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
Couldn't I change the number of days to something longer?
yh ofcourse, replace all the 365 in the above commands to whatever you want.
-
@emad-r 3650
-
@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):
@emad-r 3650
One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.
Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.
