nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 1 month ago verified publisher icon NginxProxyManager

[Question/Feature request] Auth with private SSL

Open zentaos opened this issue 4 years ago • 5 comments

Hello guys!

I'm switching from Caddy and I looking for a feature I miss.

In Caddy I can protect the whole server with a single private self-signed SSL. Users can only access the site if they have it on the client machine.

Is it possible in NPM in some way? With web or config?

Thanks

zentaos avatar Mar 29 '21 20:03 zentaos

ssl_client_certificate /YOUR/LOC/HERE/ca.crt; ssl_verify_client on; location / { if ($ssl_client_verify != SUCCESS) { return 403; } # Force SSL include conf.d/include/force-ssl.conf; # Proxy! include conf.d/include/proxy.conf; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; }

Place this code in the advanced section of your proxy host. Make your own CA and certs. Boom. You have user auth.

DarkVentHead avatar Apr 14 '21 10:04 DarkVentHead

ssl_client_certificate /YOU/LOC/HERE/ca.crt; ssl_verify_client on; location / { if ($ssl_client_verify != SUCCESS) { return 403; } # Force SSL include conf.d/include/force-ssl.conf; # Proxy! include conf.d/include/proxy.conf; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; }

DarkVentHead avatar Apr 14 '21 11:04 DarkVentHead

Looks like most of the code above is auto-generated. I found that it works if I add only these two lines to the advanced section:

ssl_client_certificate /YOU/LOC/HERE/ca.crt;
ssl_verify_client on;

codyhazelwood avatar Aug 17 '21 06:08 codyhazelwood

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Mar 15 '24 01:03 github-actions[bot]

Would be nice to have a UI to do this.

Also since I had trouble finding this issue/feature-request I want to throw in that this feature is called "mTLS" or "Client-Certificate"

michi7801 avatar Sep 12 '24 07:09 michi7801

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Apr 27 '25 02:04 github-actions[bot]