NginxProxyManager
Add client certificate support
Implement client certificates
Is your feature request related to a problem? Please describe. I am securing my web applications with Cloudflare access. I did all the proxing through manual configuration of a nginx server. But because I am running more and more applications, I wanted to have a nice GUI like this from npm. As long npm does not support client certificates, I can not protect my website from unwanted access.
Describe the solution you'd like I would like a feature to upload an SSL Cert without a key. Which is currently not possible. And then use it inside a proxy host, to verify the clients certificate.
With a bit of a workaround it is possible to do this. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:
- /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
- /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro
Inside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;
You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.
ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
return 403;
}
Tried @dmwilson1990 recommendation :
Command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] invalid condition "!~" in /etc/nginx/conf.d/include/client_cert.conf:3 nginx: configuration file /etc/nginx/nginx.conf test failed
That's the file content :
ssl_client_certificate /data/custom_ssl/tynsoe_ca.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=yann") {
return 403;
}
EDIT: It might have been that I didn't have Safari sending the certificate, because I didn't have it in my keychain yet. I removed the block totally though, as I'm assuming it'll trust any CA generated certificate in that case
Issue is now considered stale. If you want to keep it open, please comment :+1:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Please add built-in support for using user certificates in nginx-proxy-manager.
Please add your support for a working PR for this feature w/full UI support by @wrouesnel here: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
How can we support this PR further? Do you mean take over the PR and fix the broken tests?
I would also like to see the support for client certificate, I would then be able to use resources directly out in the public internet instead of having it behind my vpn, I would implement the workaround mean while :)
Btw thanks for a great open source project
Will also +1 support for this feature. This application seems like it is well made, but that's a feature I need so for me I will switch to regular old nginx for now. I don't really see the point in figuring out work arounds thru this app when the regular old config files way exists.
I'd love to see support for this. Sorry to see a great PR exists but has been ignored. https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
Issue is now considered stale. If you want to keep it open, please comment :+1:
