Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certauth: Should accept authentication to webadmin through a trusted proxy #1430

Open
00dani opened this issue Jul 25, 2017 · 0 comments · May be fixed by #1478
Open

certauth: Should accept authentication to webadmin through a trusted proxy #1430

00dani opened this issue Jul 25, 2017 · 0 comments · May be fixed by #1478

Comments

@00dani
Copy link

00dani commented Jul 25, 2017

The certauth module allows users to log into ZNC's webadmin using their client certificate, if the webadmin is accessed over TLS. However, one common configuration of ZNC involves running the webadmin behind a reverse proxy such as nginx, and it is impossible to "forward" a client's certificate through the proxy to ZNC.

A workaround, which many backend servers support, is to optionally accept a client certificate in the form of an HTTP header, rather than requiring the certificate to have actually been used for the TLS negotiation. Unfortunately, certauth does not currently support this feature.

I propose that, if certauth is validating a request from a declared TrustedProxy, it check for an HTTP header such as X-Client-Fingerprint, and use that fingerprint if present rather than require a client certificate to be presented in the request. This change would make it trivial to pass through a previously verified client certificate from nginx:

ssl_verify_client optional_no_ca;
location / {
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Client-Fingerprint $ssl_client_fingerprint;
  proxy_pass https://[::1]:7878; # this is where my webadmin's listening ;)
}

Of course, if the request to ZNC did not come from a TrustedProxy, it's not safe to trust a fingerprint presented as a header, and in that case the header should be ignored.
an-empty-string added a commit to an-empty-string/znc that referenced this issue Dec 23, 2017
@an-empty-string
Allow trusted proxies to forward client certificate fingerprints (znc…
fb8d78b 
…#1430)

These changes allow trusted proxies to set a header overriding the
detected client certificate fingerprint. This allows webadmin behind a
HTTPS-supporting proxy to correctly work with the certauth module.
@an-empty-string an-empty-string linked a pull request Dec 23, 2017 that will close this issue
Open
an-empty-string added a commit to an-empty-string/znc that referenced this issue Feb 18, 2018
@an-empty-string
Allow trusted proxies to forward client certificate fingerprints (znc…
fb2424a 
…#1430)

These changes allow trusted proxies to set a header overriding the
detected client certificate fingerprint. This allows webadmin behind a
HTTPS-supporting proxy to correctly work with the certauth module.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] Allow trusted proxies to forward client certificate fingerprints (#1430) an-empty-string/znc
1 participant
@00dani