thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-08-23 16:01:57 +00:00
Code Issues Releases Wiki Activity

feat: SSL client certificate validation

Browse Source
This commit is contained in:
Niek
2025-02-27 13:20:45 +01:00
parent 219d3b1b8c
commit 409b0e6fbb
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
nginx.tmpl
View File

@@ -759,6 +759,9 @@ proxy_set_header Proxy "";
{{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default). */}} {{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default). */}}
{{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }} {{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }}
{{- /* Get ssl_verify_client defined by containers w/ the same vhost, falling back to "on" */}}
{{- $ssl_verify_client := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.ssl_verify_client" | keys | first | default "on" }}
{{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}} {{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}}
{{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }} {{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }}
@@ -780,6 +783,7 @@ proxy_set_header Proxy "";
"acme_http_challenge_enabled" $acme_http_challenge_enabled "acme_http_challenge_enabled" $acme_http_challenge_enabled
"server_tokens" $server_tokens "server_tokens" $server_tokens
"ssl_policy" $ssl_policy "ssl_policy" $ssl_policy
"ssl_verify_client" $ssl_verify_client
"trust_default_cert" $trust_default_cert "trust_default_cert" $trust_default_cert
"upstream_name" $upstream_name "upstream_name" $upstream_name
"vhost_root" $vhost_root "vhost_root" $vhost_root
@@ -1038,6 +1042,25 @@ server {
include /etc/nginx/vhost.d/default; include /etc/nginx/vhost.d/default;
{{- end }} {{- end }}
{{/* SSL Client Certificate Validation */}}
{{/* If vhost(hash).ca.crt exists, include CA */}}
{{- if (exists (printf "/etc/nginx/certs/%s.ca.crt" $vhostFileName)) }}
ssl_client_certificate {{ printf "/etc/nginx/certs/%s.ca.crt" $vhostFileName }};
ssl_verify_client {{ $vhost.ssl_verify_client }};
{{/* If vhost(hash).crl.pem exists, include CRL */}}
{{- if (exists (printf "/etc/nginx/certs/%s.crl.pem" $vhostFileName)) }}
ssl_crl {{ printf "/etc/nginx/certs/%s.crl.pem" $vhostFileName }};
{{ end }}
{{/* If no vhost CA file exists, but a global ca.crt exists include it */}}
{{ else if (exists "/etc/nginx/certs/ca.crt") }}
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client {{ $vhost.ssl_verify_client }};
{{/* If no vhost CA file exists, but a global ca.crl.pem exists include it */}}
{{ if (exists "/etc/nginx/certs/ca.crl.pem")}}
ssl_crl /etc/nginx/certs/ca.crl.pem;
{{ end }}
{{ end }}
{{- if $vhost.enable_debug_endpoint }} {{- if $vhost.enable_debug_endpoint }}
{{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }} {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
{{- end }} {{- end }}