Tweak Nginx Webserver with limited Client Certificate

Page content

Install NGINX & PHP

pkg_add nginx php--%7.3
rcctl enable nginx php73_fpm

Edit php.ini

sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/'  /etc/php-7.3.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/'  /etc/php-7.3.ini

nginx.conf

mkdir /var/log/nginx

cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes  1;

worker_rlimit_nofile 1024;

events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.php index.html index.htm;

    keepalive_timeout  65;

    server_tokens off;

    proxy_cache_valid any 0s;

    log_format  main  '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent';

    map $ssl_client_serial $ssl_access {
      default 0;
      WFuDgzQBZXV740D3 1;   # Hans Muster
      EDugUslEX1Et90WX 0;   # Beat Breu
      2DF3C663741296F5 1;   # Ruedi Ruessel
    }
    #
    # HTTP -> Redirect to HTTPS
    #
    server {
        listen        80;
        server_name   localhost;
        access_log    logs/host.access.log  main;
        return 301    https://$host$request_uri;
    }
    #
    # HTTPS server
    #
    server {
        listen        443 ssl;
        server_name   localhost;
        access_log    /var/log/nginx/puffy205.log main;
        error_log     /var/log/nginx/puffy205-error.log;

        ssl_certificate             /etc/ssl/combo/host.crt;
        ssl_certificate_key         /etc/ssl/combo/host.crt;
        ssl_session_timeout         5m;
        ssl_session_cache           shared:SSL:1m;
        ssl_ciphers                 HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate      /etc/ssl/combo/root.crt;
        ssl_verify_client           optional;

        root                        /var/www/htdocs;

        location / {
          # Block if no Cert
          if ($ssl_client_verify != SUCCESS) {
            return 403;
          }
          # Block if not whitelisted
          if ($ssl_access = 0) {
            return 403;
          }
        }

        location ~ \.php$ {
          try_files      $uri $uri/ =404;
          fastcgi_pass   unix:run/php-fpm.sock;
          fastcgi_index  index.php;
          fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param  SSL_CLIENT_SERIAL $ssl_client_serial;
          include        fastcgi_params;
        }
    }
}
EOF

Root Cert, Server Cert

mkdir -p /etc/ssl/combo/
cat << 'EOF' > /etc/ssl/combo/host.crt
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIIaGXwEvomrIYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0yMDA0MDIxNTE1
MDBaFw0yMjA2MTExNTE1MDBaMGIxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxGDAW
BgNVBAMTD3B1ZmZ5MjA1LnBsYW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKiWF3qZvvXDPxuwhMHE3WDIQIJvRPKmBQQsEnnn598tD+W7aeSgvnZ3
Oel3n4WRl6syNF3CLPo3EbMy8VgZrCOul8Uvjro9WLZeL7tG5CndRFZu9Erzq2Ic
KodQGxEc3jC3UxFypr4OuUAigrlWi5dRp3dhzP4/xqQ42c1axPoI/YDzIdw5O6WZ
QWZf0YfsAIbbkw3YymLBoZQxyBmhasaU6xBnIAMLuYA6IVqz3QoGHxDr8bij34y5
TRb0575TzTdAtmWhN3GE+xGOJ/KPQ6MZjaA9oz15bMVuVg1uZgUXE5K22kx6eZLk
ejhV4nxnokftPJBZfaC9LbX661B9GTUCAwEAAaOBqzCBqDAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT9D1+1pNUT3SuAfeptzaeszgUivTALBgNVHQ8EBAMCBeAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IPcHVmZnkyMDUucGxhbmV0gghw
dWZmeTIwNTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBj
ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAKfRir/cZkKdeoDWV5qN3NNw/
AWNJZjkA6KvFwuXjvMR00/vlaqTuOOBKEU5CtxnHDKhfpkjSnX7ynoJXoAQYkNag
3reSKkFZ1TX1yz/Pf/f8YLbiA3e1hx9E0E5gAENtYB6vkZh5quhRnqsHSJpJP6H6
IYaZLh7w4+RL5qvQmN1tlyKwInrJmY6jsLPhALUDFQewDPJDla/iJ6ivlHsvCtMC
MA/slsJ2iWaHbAIzCXZyBeJHR949zJvja0jJPJHVDknsKypO9WEeMclaSoY1AfVI
dGg5W8ahwxuwX2e3ygbORoG0R1Qoeqdp8+VRvOpxM4R97NPtkEq/XPgrtWnoyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqJYXepm+9cM/G7CEwcTdYMhAgm9E8qYFBCwSeefn3y0P5btp
...
AsoXCZvnbPzWsP8M2JokEngD0201NZN8/aBuDi0+aF1b3xA1vtKumdM=
-----END RSA PRIVATE KEY-----
EOF
chmod 440 /etc/ssl/combo/host.crt

cat << 'EOF' > /etc/ssl/combo/root.crt
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIIe1F3tBzaragwDQYJKoZIhvcNAQEMBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0xOTA2MDUyMDA0
MDBaFw0yOTA2MDUyMDA0MDBaMFoxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxEDAO
BgNVBAMTB3Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
kBixlR0b3tE7Db6CuFTYeKdSGbnLx2Df8zir0ueFlv6JX5rLgbWbb5rMnWOH1O1N
AmCbuh0CrXD1evl1Glyf3hmumIvW4GVfWcQNvBsq1iUfoJn24qGnTu502xX1Gv5F
TCOxq2HqdLEwsktl2Pn76/49quj1PlBSSpYLWBsvqj1NkNIXgMzUjBURF+fEtRby
SE5RLbw+fubAw1e9K3Xu5VLgItno3g9t2B4MKTApsCZsOR288kedrAUxFhyB2pD/
6L9sbyM1h5r+EMjAzyeTeUKtXXqC+AyLthkw3eB58UY/QxpoNiggQY+5yd57yzxK
Ox1QHh+kj2+8eK5b3+pFAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8FFqfTRx/lTT0qfF/tEknHS7LSMAsGA1UdDwQEAwIBBjARBglghkgBhvhC
AQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG
9w0BAQwFAAOCAQEATzFY8H0EX+yFWEgRtGNciIp0WsQ53cjRnNxdkDsW+W2gB+cs
QdS2LBoWts5jLHXrZstJAoy1qyEhqyYvXFMf4SsfKsrXfli7fgod5figyVjhmz41
6v/Ss668kyjWOYkY3CYqPTJolxDuIpMIq/AMGurlcf6oTDdP/FPs4nvdGed16Qjp
849n7r+ugQKrbDC4VpDXcZECXlQjI3QgUeXKqly0LXcwqFXqC3+m1O6YTwyIFrLy
8ZyWjAKN4NdKd88eiczvEj3uQVXhqkbmiEyp3q5jsXcQLzblJ0aCABqppvGLgASq
Z9QeBLjqhJ3DIcgKcHqJsox+xKrDLtIvgYmaOg==
-----END CERTIFICATE-----
EOF
chmod 440 /etc/ssl/combo/root.crt

index.php

cat << 'EOF' > /var/www/htdocs/index.php
Hi <?
  $array = [
    "WFuDgzQBZXV740D3" => "Hans Muster",
    "EDugUslEX1Et90WX" => "Beat Breu",
    "2DF3C663741296F5" => "Ruedi Ruessel"
  ];
  echo $array[$_SERVER['SSL_CLIENT_SERIAL']];
?>, your Certificat Serial Number is 
<?
  echo $_SERVER['SSL_CLIENT_SERIAL'];
?>
EOF

Start all stuff

rcctl restart nginx php73_fpm

Open Webpage:

puffy205

sha256: 0c35459441570b93b53034ed2b6f0f1fd25961004d6c3863bd1671f901431ba3