Skip to content

Allow WebID+TLS behind a reverse proxy #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 13, 2017
Merged

Allow WebID+TLS behind a reverse proxy #519

merged 4 commits into from
Jul 13, 2017

Conversation

@RubenVerborgh
Copy link
Contributor

@RubenVerborgh RubenVerborgh commented Jul 13, 2017
edited
Loading

This pull requests extends the Solid server with an acceptCertificateHeader option. If enabled (default: no), the Solid server accepts a client certificate in PEM format through the X-SSL-Cert HTTP header.

This can be used in combination with the following NGINX options:

ssl_verify_client optional_no_ca;
proxy_set_header X-SSL-CERT $ssl_client_cert;

That way, NGINX can terminate the SSL connection (and thus run multiple services on port 443), whereas Solid can still check whether the certificate matches the WebID.

Security considerations

In this configuration, the Solid server does not verify whether the client has the matching private key to the certificate (NGINX does). As such, acceptCertificateHeader should never be enabled on front-facing servers.

@RubenVerborgh RubenVerborgh self-assigned this Jul 12, 2017
@RubenVerborgh RubenVerborgh mentioned this pull request Jul 12, 2017
Closed
@RubenVerborgh
Support client certificates via X-SSL-Cert header.
94980f7 
The WebID-TLS implementation assumed an end-to-end TLS connection
from the client to the server, so reverse proxies were not possible.
With this commit, the reverse proxy can terminate the TLS connection
and pass the client certificate through the X-SSL-Cert HTTP header.
@RubenVerborgh
Make x509 dependency optional.
56a0088 
This is a native module, which might not compile on all platforms.
Furthermore, it is only needed for header-based WebID auth.
@RubenVerborgh
Add acceptCertificateHeader option.
85d3d17
@RubenVerborgh
WebID through header doesn't require TLS.
d328423
@RubenVerborgh RubenVerborgh force-pushed the feature/tls-cert-header branch from 65657ed to d328423 Compare July 13, 2017 15:21
@dmitrizagidulin
Copy link
Contributor

dmitrizagidulin commented Jul 13, 2017

@RubenVerborgh looks good! Thanks.

@dmitrizagidulin dmitrizagidulin merged commit b0591af into dz_oidc Jul 13, 2017
@dmitrizagidulin dmitrizagidulin deleted the feature/tls-cert-header branch July 13, 2017 16:52
@RubenVerborgh RubenVerborgh added this to the 4.0.0 milestone Aug 10, 2017
RubenVerborgh added a commit that referenced this pull request Sep 12, 2017
@RubenVerborgh
Add CHANGELOG entry for acceptCertificateHeader (#519).
679cd66
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dmitrizagidulin dmitrizagidulin dmitrizagidulin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@RubenVerborgh RubenVerborgh

Labels

enhancement ready for review

Projects

None yet

Milestone

4.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@RubenVerborgh @dmitrizagidulin