[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: nginx: berlin: Require authentication for Cuirass /admin routes.
From: |
Ricardo Wurmus |
Subject: |
01/01: nginx: berlin: Require authentication for Cuirass /admin routes. |
Date: |
Wed, 30 Oct 2019 08:19:28 -0400 (EDT) |
rekado pushed a commit to branch master
in repository maintenance.
commit 7b3957b7a20f272f5d00497b139b607a93908c40
Author: Ricardo Wurmus <address@hidden>
Date: Wed Oct 30 13:11:28 2019 +0100
nginx: berlin: Require authentication for Cuirass /admin routes.
* hydra/nginx/berlin.scm (berlin-locations): Require client
certificate authentication on /admin location.
(%berlin-servers): Verify client certificate optionally on
ci.guix.gnu.org.
---
hydra/nginx/berlin.scm | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 40a757b..2947759 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -171,6 +171,10 @@ PUBLISH-URL."
(nginx-location-configuration
(uri "/")
(body (list "proxy_pass http://localhost:8081;")))
+ (nginx-location-configuration
+ (uri "~ ^/admin")
+ (body
+ (list "if ($ssl_client_verify != SUCCESS) { return 403; }
proxy_pass http://localhost:8081;")))
(nginx-location-configuration
(uri "/static")
@@ -575,7 +579,11 @@ PUBLISH-URL."
"access_log /var/log/nginx/https.access.log;"
"proxy_set_header X-Forwarded-Host $host;"
"proxy_set_header X-Forwarded-Port $server_port;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))))
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ ;; For Cuirass admin interface authentication
+ "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;"
+ "ssl_crl /etc/ssl-ca/private/ca.crl;"
+ "ssl_verify_client optional;"))))
(nginx-server-configuration
(listen '("443 ssl"))