feat: mTLS with nginx and python #1583
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
I'm working on it, and I think this first change wasn't a good one because it's in the base url location / {...} I'm studying and exploring something that fits better. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When we are going to integrate 2 systems where we need a high level of security between the two ends of the communication, we must use mTLS to verify and validate that the requests received from the client have the certificate...
Normally this type of integration does not work with HMAC, it must use mTLS.
So, I looked for the most efficient and flexible configuration to apply this, thinking that on a server with a "bench" we will have more than one site and each site can have more than one integration enabled with mTLS certificate configured and each integration can have your own certificate
The ngnix configuration was chosen:
ssl_verify_client optional_no_ca
optional_no_ca: requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification. The contents of the certificate is accessible through the $ssl_client_cert variable.
"proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;": allows you to get the certificate from the header, using a relative variable.
So with this config, i can made a validade on Python loading the certificate configured on relative integration and confirming the identity:
ps: Maybe there are some more points to be implemented, I will be putting my application into production in a few days or weeks...
I am open to suggestions