Last active
June 7, 2024 19:11
-
-
Save marcodebe/88da2d9c339bc7571111390af265df9d to your computer and use it in GitHub Desktop.
Nginx configuration for granting access to clients that are in the local net or presenting a valid SSL certificate.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Reverse proxy for granting access to clients that are | |
| # in the local net or presenting a valid SSL certificate. | |
| # Credits to https://stackoverflow.com/a/48012499/2705147 | |
| geo $internal_ip { | |
| default no; | |
| 10.0.0.0/16 yes; | |
| } | |
| map $internal_ip$ssl_client_verify $request_allowed { | |
| # A regular expression should either start from the “~” symbol for a | |
| # case-sensitive matching, or from the “~*” symbols (1.0.4) for | |
| # case-insensitive matching. | |
| # Local network? | |
| "~*^yes.*" yes; | |
| # Valid certificate? | |
| "~*.*SUCCESS$" yes; | |
| # Go away! | |
| default no; | |
| } | |
| map $request_allowed $proxy_pass_url { | |
| yes "http://backend.example.org"; | |
| no "http://$host/access-denied"; | |
| } | |
| server { | |
| listen 443 ssl; | |
| server_name frontend.example.org; | |
| # CA certificate for verifying clients | |
| ssl_client_certificate ca.crt; | |
| # make verification optional, so we can display a 403 message to those | |
| # who fail authentication | |
| ssl_verify_client optional; | |
| # other SSL stuff … | |
| location / { | |
| proxy_pass $proxy_pass_url; | |
| # other proxy stuff … | |
| } | |
| location = /access-denied { | |
| return 403; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment