Reverse Proxy Config¶
The client certificate submitted terminates Transport Layer Security (TLS) at the reverse proxy. The reverse proxy must do two things to
correctly pass the client certificate to the pulpcore-content
app.
- Forward the client's TLS certificate as the
X-CLIENT-CERT
. - The
X-CLIENT-CERT
needs to be urlencoded.
Nginx Config Example¶
To configure Nginx to accept a client cert, and have it forward the urlencoded cert:
-
Enable the checking of a client cert with the ssl_verify_client directive.
-
Configure the
X-CLIENT-CERT
header to be urlencoded and forwarded. To avoid a client falsifying the header, first unset it. It forwards the $ssl_client_escaped_cert variable which is the urlencoded client cert:
proxy_set_header X-CLIENT-CERT $ssl_client_escaped_cert;
Apache 2.4.10+ Config Example¶
To configure Apache to accept a client cert, urlencode it, and forward it you will need to:
-
Enable the checking of a client cert with the SSLVerifyClient directive.
-
Enable the client certificate to be available as an environment variable with:
SSLOptions +ExportCertData
- Configure the
X-CLIENT-CERT
header to be urlencoded and forwarded. To avoid a client falsifying the header, first unset it. Then use mod_rewrite to urlencode the SSL_CLIENT_CERT environment variable as follows:
RequestHeader unset X-CLIENT-CERT
RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}"
Apache \< 2.4.10 Config Example¶
Apache versions earlier than 2.4.10 are not able to urlencode the client certificate.
pulp-certguard
tries to detect this situation and work anyway.
In this case, to configure Apache to accept a client cert and forward it you will need to:
-
Enable the checking of a client cert with the SSLVerifyClient directive.
-
Enable the client certificate to be available as an environment variable with:
SSLOptions +ExportCertData
- Configure the
X-CLIENT-CERT
header to be forwarded. To avoid a client falsifying the header, first unset it, then forward the data in the SSL_CLIENT_CERT environment variable as follows:
RequestHeader unset X-CLIENT-CERT
RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s"