I've got an nginx config that does ssl-pki authentication - I'm happily able to authenticate my users.
However, I want to take it a bit further - I want to allow/deny access to resources based on the ssl variables - specifically $ssl_client_s_dn (and verify that $ssl_client_verify is 'SUCCESS')
Based on this I want to selectively allow/deny groups of URLs based on a user list. In this scenario, Elasticsearch. I have:
- Some common APIs I want to access (server status, cluster health, 'ping').
- Some indicies I want one group of users to be able to 'see'
- Some indices I want another group of users to 'see'.
Now it looks like I can probably do this with http_auth_request - redirect to an 'auth' url - a bit like outlined in this blog
But this seems a bit overkill to me, as to do that I'll have to write my own 'engine' to accept/read http, validate it against what amounts to a regex, and spit out a response code.
What I'm trying to do 'whitelist' e.g. for me:
allow if /(logstash|filebeat|topbeat)-mygroup-.*/;
(where 'mygroup' is read from a file somewhere, and ideally allows to have multiple-group membership).
Now, is this best done with http_auth_request, and feeding it to a really cut down validator web app (either script standalone, or a cgi type script inside NGINX) or is there a better way?
This module is an extra for nginx, which means a recompile. That's not a disaster, but if it's not necessary (and I can continue using 'stock' nginx) that would be preferable.
Perhaps something like this would work. Given a file path, it will return a "Forbidden" response unless
$ssl_client_verifyhas been set appropriately.