ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to setup Nginx TLS certificate based Authentication (VPN alternative)

    Scheduled Pinned Locked Moved IT Discussion
    nginxtlssslcertcertificateauthentication
    21 Posts 4 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Emad RE
      Emad R @Alex Sage
      last edited by

      @aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

      What about mobile devices? I assume you can install the certificate there as well?

      https://support.google.com/nexus/answer/2844832?hl=en

      1 Reply Last reply Reply Quote 0
      • Emad RE
        Emad R @Alex Sage
        last edited by

        @aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

        This is very cool!

        Can I revoke a client certificate? Say if the employee leaves the company?

        Good question, going back to another guide I saw had this article:

        https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

        Revoking Certificates

        On one final note, as with all exercises, it’s important to be practical and know that things change. Inevitably there will come a time when someone leaves your team and their certificate needs to be invalidated. Running the following script with the correct username will add the user’s certificate to the revocation list and ensure that they can no longer access the site:

        openssl ca -name CA_Default  
        -revoke /etc/ssl/ca/certs/users/USERNAME.crt 
        -keyfile /etc/ssl/ca/private/ca.key 
        -cert /etc/ssl/ca/certs/ca.crt
        
        openssl ca -name CA_Default -gencrl 
            -keyfile /etc/ssl/ca/private/ca.key 
            -cert /etc/ssl/ca/certs/ca.crt 
            -out /etc/ssl/ca/private/ca.crl 
            -crldays 1095
        
        

        I dont know why he posted 2 commands, it seems the first one does the trick.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @Emad R
          last edited by

          @emad-r because you only link a single cert in the nginx config.

          So once you revoke one user, you need to rebuild the full cert with that user excluded.

          1 Reply Last reply Reply Quote 2
          • Emad RE
            Emad R @Emad R
            last edited by

            @emad-r

            If you are trying this and testing it out with Chrome without success, please make sure to test and exit chrome completely then open it again and check if the results changed or not.

            1 Reply Last reply Reply Quote 0
            • NashBrydgesN
              NashBrydges
              last edited by

              @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

              JaredBuschJ Emad RE 2 Replies Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @NashBrydges
                last edited by JaredBusch

                @nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

                Simply use a different URL for the restricted pages versus open pages.
                secure.domain.com vs www.domain.com

                Only have the client certs in the nginx config for the secure.domain.com server block.

                Both blocks can still be SSL.

                Which i might add, is why he should have put everything in separate config files and not screw up the default nginx.conf

                NashBrydgesN 1 Reply Last reply Reply Quote 2
                • NashBrydgesN
                  NashBrydges @JaredBusch
                  last edited by

                  @jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                  @nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                  @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

                  Simply use a different URL for the restricted pages versus open pages.
                  secure.domain.com vs www.domain.com

                  Only have the client certs in the nginx config for the secure.domain.com server block.

                  Both blocks can still be SSL.

                  Nice! Didn't think of using a sub-domain. Definitely going to have to give this a try.

                  1 Reply Last reply Reply Quote 0
                  • Emad RE
                    Emad R @NashBrydges
                    last edited by Emad R

                    @nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                    @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

                    Hey Nash,
                    Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

                    Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

                    Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

                    So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

                    JaredBuschJ 1 Reply Last reply Reply Quote 1
                    • NashBrydgesN
                      NashBrydges
                      last edited by

                      It's official, I'm NEVER getting through my to-do list. Must stop coming here. Lol

                      1 Reply Last reply Reply Quote 2
                      • JaredBuschJ
                        JaredBusch @Emad R
                        last edited by

                        @emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                        Now I needed to manually add the ca.crt file to "/etc/pki/tls/certs/ca-bundle.crt" (this took days of research)...
                        So copy the contents of "/etc/pki/nginx/ca.crt" and paste it at the end of "/etc/pki/tls/certs/ca-bundle.crt" Finally restart nginx

                        # Append the ca.crt to the ca-bundle.crt
                        cat /etc/pki/nginx/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
                        
                        1 Reply Last reply Reply Quote 1
                        • JaredBuschJ
                          JaredBusch @Emad R
                          last edited by JaredBusch

                          @emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                          @nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                          @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

                          Hey Nash,
                          Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

                          Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

                          Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

                          So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

                          You will also now have to replace client certificates yearly.

                          Emad RE 1 Reply Last reply Reply Quote 1
                          • Emad RE
                            Emad R @Emad R
                            last edited by

                            @emad-r

                            Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

                            What I did I install Fedora LXDE spin

                            Then installed ontop of that VNC on port 5901 made it run on local host

                            Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
                            so http://192.168.1.x:7777
                            allows me to connect to my machine.

                            stay with me.

                            Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security

                            It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

                            noVNC-5.png

                            with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

                            NashBrydgesN 1 Reply Last reply Reply Quote 0
                            • Emad RE
                              Emad R @JaredBusch
                              last edited by

                              @jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                              @emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                              @nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                              @Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

                              Hey Nash,
                              Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

                              Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

                              Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

                              So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

                              You will also now have to replace client certificates yearly.

                              But that is good security practice as well. I will know when this happens when they all complain the same time about site access 🙂 no need to set reminder

                              1 Reply Last reply Reply Quote 0
                              • NashBrydgesN
                                NashBrydges @Emad R
                                last edited by

                                @emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                                @emad-r

                                Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

                                What I did I install Fedora LXDE spin

                                Then installed ontop of that VNC on port 5901 made it run on local host

                                Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
                                so http://192.168.1.x:7777
                                allows me to connect to my machine.

                                stay with me.

                                Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security

                                It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

                                noVNC-5.png

                                with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

                                I prefer using Guacamole for all my remote access needs but I think I'll definitely implement something like this to restrict access to my own staff.

                                1 Reply Last reply Reply Quote 4
                                • A
                                  Alex Sage
                                  last edited by Alex Sage

                                  Couldn't I change the number of days to something longer?

                                  Emad RE 1 Reply Last reply Reply Quote 0
                                  • Emad RE
                                    Emad R @Alex Sage
                                    last edited by

                                    @aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                                    Couldn't I change the number of days to something longer?

                                    yh ofcourse, replace all the 365 in the above commands to whatever you want.

                                    A 1 Reply Last reply Reply Quote 1
                                    • A
                                      Alex Sage @Emad R
                                      last edited by

                                      @emad-r 3650 🙂

                                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch @Alex Sage
                                        last edited by

                                        @aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

                                        @emad-r 3650 🙂

                                        One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.

                                        Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

                                        1 Reply Last reply Reply Quote 4
                                        • 1
                                        • 2
                                        • 1 / 2
                                        • First post
                                          Last post