How to setup Nginx TLS certificate based Authentication (VPN alternative)

NashBrydges

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

JaredBusch

@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Simply use a different URL for the restricted pages versus open pages.
secure.domain.com vs www.domain.com

Only have the client certs in the nginx config for the secure.domain.com server block.

Both blocks can still be SSL.

Which i might add, is why he should have put everything in separate config files and not screw up the default nginx.conf

NashBrydges

@jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Simply use a different URL for the restricted pages versus open pages.
secure.domain.com vs www.domain.com

Only have the client certs in the nginx config for the secure.domain.com server block.

Both blocks can still be SSL.

Nice! Didn't think of using a sub-domain. Definitely going to have to give this a try.

Emad R

@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

NashBrydges

It's official, I'm NEVER getting through my to-do list. Must stop coming here. Lol

JaredBusch

@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

Now I needed to manually add the ca.crt file to "/etc/pki/tls/certs/ca-bundle.crt" (this took days of research)...
So copy the contents of "/etc/pki/nginx/ca.crt" and paste it at the end of "/etc/pki/tls/certs/ca-bundle.crt" Finally restart nginx

# Append the ca.crt to the ca-bundle.crt
cat /etc/pki/nginx/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

JaredBusch

@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

You will also now have to replace client certificates yearly.

Emad R

@emad-r

Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

What I did I install Fedora LXDE spin

Then installed ontop of that VNC on port 5901 made it run on local host

Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.

stay with me.

Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security

It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

https://kanaka.github.io/noVNC/img/noVNC-5.png

with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

Emad R

@jaredbusch said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@nashbrydges said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

You will also now have to replace client certificates yearly.

But that is good security practice as well. I will know when this happens when they all complain the same time about site access no need to set reminder

NashBrydges

@emad-r said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r

Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

What I did I install Fedora LXDE spin

Then installed ontop of that VNC on port 5901 made it run on local host

Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.

stay with me.

Using this method I tried to proxy http://192.168.1.x:7777 and use nginx extra security

It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

https://kanaka.github.io/noVNC/img/noVNC-5.png

with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

I prefer using Guacamole for all my remote access needs but I think I'll definitely implement something like this to restrict access to my own staff.

Alex Sage

Couldn't I change the number of days to something longer?

Emad R

@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

Couldn't I change the number of days to something longer?

yh ofcourse, replace all the 365 in the above commands to whatever you want.

Alex Sage

@emad-r 3650

JaredBusch

@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r 3650

One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.

Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.