0

I want to discard all the query parameters and add a new one (for instance DN=$ssl_client_s_dn). The reason is to prevent the client from sending this query parameter.

Replacing the value of the query parameter "DN", is also a valid solution for me.

My configuration file is

server {
  listen 9999 ssl default_server;
  listen [::]:9999 ssl default_server;

   ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

   ssl_certificate        /keystores/mycert.crt.pem;         ## 
   ssl_certificate_key    /keystores/mycert.key.pem;         ## 
   ssl_client_certificate /keystores/.npm.certs.pem;         ## CA Bundle
   ssl_verify_client on;

   root /home/edu/my-react-app;

   index index.html;

   server_name _;

   location / {
     try_files $uri $uri/ /index.html =404;
   }

   location = /login {
     if ($arg_DN = "") {
       rewrite ^ /login?DN=$ssl_client_s_dn redirect;
     }
     try_files /index.html =404;
   }
 }

I want to use the "DN" query parameter as a login system. But the client can fool me by sending a false DN belonging to a user with higher privileges!

Any idea?

Ximo Dante
  • 19
  • 7

1 Answers1

0

If you want to always use $ssl_client_s_dn as the argument, then use:

location = /login {
    rewrite ^ /login?DN=$ssl_client_s_dn last;
}

Your current solution only applies this when there is no DN argument.

However, what makes you think a client cannot impersonate the DN field?

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Sorry if I haven't explained the question well. I agree with you that my problem is that the client can impersonate the DN field and get administrator's privileges, but I don't know how to solve the problem. If I use the "last" flag the URL is not changed externally, See my last question https://serverfault.com/questions/1112066/nginx-append-query-parameter-to-a-react-application – Ximo Dante Oct 07 '22 at 23:36
  • You need to configure proper client TLS certificate authentication or use a separate authentication mechanism like username / password. – Tero Kilkanen Oct 07 '22 at 23:40
  • Thanks, but I am a beginner and I don't know to configure the proper TSL client authentication. A client can have a valid certificate and in addition, send a false DN to the application. I have tried to use njs but I have gotten stuck. I cannot find easy examples and turorials. – Ximo Dante Oct 07 '22 at 23:45