8000 docs: SSL client certificate validation mTLS · nginx-proxy/nginx-proxy@7edf50a · GitHub
[go: up one dir, main page]
Skip 10000 to content

Commit 7edf50a

Browse files
SchoNieSchoNie
committed
docs: SSL client certificate validation mTLS
1 parent 5e77e29 commit 7edf50a

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

docs/README.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
- [Docker Networking](#docker-networking)
66
- [Upstream (Backend) features](#upstream-backend-features)
77
- [Basic Authentication Support](#basic-authentication-support)
8+
- [mTLS client side certificate authentication](#mtls-client-side-certificate-authentication)
89
- [Logging](#logging)
910
- [SSL Support](#ssl-support)
1011
- [IPv6 Support](#ipv6-nat)
@@ -374,6 +375,36 @@ You'll need apache2-utils on the machine where you plan to create the htpasswd f
374375

375376
⬆️ [back to table of contents](#table-of-contents)
376377

378+
## mTLS client side certificate authentication
379+
In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair.
380+
A "root" TLS certificate is necessary for mTLS; this enables an organization to be their own certificate authority. The certificates used by authorized clients and servers have to correspond to this root certificate. The root certificate is self-signed, meaning that the organization creates it themselves.
381+
Make sure you have a root certificate (CA) and client public/private key pair. There is a [howto in the wiki](https://github.com/nginx-proxy/nginx-proxy/wiki/mTLS-client-side-certificate-authentication).
382+
383+
### Certificate Authority (CA)
384+
#### Per-VIRTUAL_HOST CA
385+
In order to secure a virtual host, you have to copy your CA certificate file (ca.crt) named as its equivalent `VIRTUAL_HOST` variable or if `VIRTUAL_HOST` is a regex, after the sha1 hash of the regex with the suffix `.ca.crt` in directory
386+
`/etc/nginx/certs/`. Example: `/etc/nginx/certs/app.example.com.ca.crt`.
387+
Or if your `VIRTUAL_HOST` is a regex: `/etc/nginx/certs/9ae5d1b655182b052fed458ec701f9ae1524e1c2.ca.crt`.
388+
389+
#### Global CA
390+
If you want to secure everything globally you can copy your CA certificate file (ca.crt) named as `ca.crt` in directory
391+
`/etc/nginx/certs/`. Example: `/etc/nginx/certs/ca.crt`.
392+
393+
### Certificate Revocation List (CRL)
394+
#### Per-VIRTUAL_HOST CRL
395+
In order to use a certificate revocation list, you have to copy your CRL file named as its equivalent `VIRTUAL_HOST` variable or if `VIRTUAL_HOST` is a regex, after the sha1 hash of the regex with the suffix `.crl.pem` in directory
396+
`/etc/nginx/certs/`. Example: `/etc/nginx/certs/app.example.com.crl.pem`.
397+
Or if your `VIRTUAL_HOST` is a regex: `/etc/nginx/certs/9ae5d1b655182b052fed458ec701f9ae1524e1c2.crl.pem`.
398+
399+
#### Global CRL
400+
If you want to use a global CRL file you have to copy your CRL file named as `ca.crl.pem` in directory
401+
`/etc/nginx/certs/`. Example: `/etc/nginx/certs/ca.crl.pem`.
402+
403+
### optional ssl_verify_client
404+
Optional [`ssl_verify_client`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client) can be activated by using the `com.github.nginx-proxy.nginx-proxy.ssl_verify_client: "optional"` label on a proxied container. If this label is set on a proxied container access is not blocked but the result of the mTLS verify is stored in the [$ssl_client_verify](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify) variable which you can use this in the [Per-VIRTUAL_HOST location](https://github.com/nginx-proxy/nginx-proxy/tree/main/docs#per-virtual_host-location-configuration) and [Per-VIRTUAL_PATH location](https://github.com/nginx-proxy/nginx-proxy/tree/main/docs#per-virtual_path-location-configuration) configurations.
405+
406+
⬆️ [back to table of contents](#table-of-contents)
407+
377408
## Logging
378409

379410
The default nginx access log format is
@@ -1327,6 +1358,7 @@ Configuration available on each proxied container, either by environment variabl
13271358
| n/a | [`com.github.nginx-proxy.nginx-proxy.non-get-redirect`](#how-ssl-support-works) | global (proxy) value |
13281359
| [`SERVER_TOKENS`](#per-virtual_host-server_tokens-configuration) | n/a | no default value |
13291360
| [`SSL_POLICY`](#how-ssl-support-works) | n/a | global (proxy) value |
1361+
| n/a | [`com.github.nginx-proxy.nginx-proxy.ssl_verify_client`](#optional-ssl_verify_client) | `on` |
13301362
| n/a | [`com.github.nginx-proxy.nginx-proxy.trust-default-cert`](#default-and-missing-certificate) | global (proxy) value |
13311363
| [`VIRTUAL_DEST`](#virtual_dest) | n/a | `empty string` |
13321364
| [`VIRTUAL_HOST`](#virtual-hosts-and-ports) | n/a | no default value |

0 commit comments

Comments
 (0)
0