support optionally esgf x509 certificates for access control

[cehbrecht]

... we might need to provide this for copernicus.

Some hints:

Python requests:

http://docs.python-requests.org/en/master/user/advanced/?highlight=ssl#client-side-certificates

curl: use --cert and -–key options

gunicorn SSL settings:

http://docs.gunicorn.org/en/latest/settings.html#cert-reqs

[cehbrecht]

one needs to configure nginx with ssl client certificate verification:

ssl_client_certificate /etc/ssl/esgf-ca-bundle.crt;
#ssl_crl /etc/ssl/ca.crl;
ssl_verify_client on;
ssl_verify_depth          2;
ssl_session_timeout 5m;

The esgf-ca-bundle.crt bundle is available on ESGF github:
https://github.com/ESGF/esgf-dist

A client request needs an ESGF X.509 proxy certificate, cert.pem for example:

$ curl --cert cert.pem --key cert.pem -k "https://localhost:5000/ows/wps?service=WPS&request=GetCapabilities"

[tomLandry]

I think you can label that PAVICS too. If we can't implement it with you, we'll at least test it in the upcoming year.

[cehbrecht]

more infos on nginx configuration:

• https://gist.github.com/mtigas/952344
• https://serverfault.com/questions/622855/nginx-proxy-to-back-end-with-ssl-client-certificate-authentication
• https://nginx.org/en/docs/http/configuring_https_servers.html

[cehbrecht]

oops, wrong ticket ...

[cehbrecht]

To let twitcher make the decision if the client proxy is needed for the request one needs to set:

ssl_verify_client    optional;

To pass the client certificate and verification information to the twitcher one can use proxy parameters, like:

proxy_set_header        X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header        X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header        X-SSL-Client-S-DN $ssl_client_s_dn;

[cehbrecht]

possible values of ssl_verify_client:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client