3

I have a Django application that sits behind Nginx, which requires the user to authenticate via a government CAC (Smartcard). The CAC ID is read by Nginx and passed to Django, which maps that ID to a Django User and logs in that user. That part works fine.

However, if the user removes his/her CAC from the card reader, the application still moves merrily along, allowing the user to continue to load pages from that domain.

How can I force Nginx to verify the CAC certificate on each page load so that once the CAC is removed, Django can log the user out and force them to re-authenticate?

Nginx config:

server {
  listen 443 ssl;

  server_name my-server;
  ssl_certificate ssl/server.crt;
  ssl_certificate_key ssl/server.key;
  ssl_verify_client on;
  ssl_verify_depth 2;
  ssl_client_certificate /etc/ssl/certs/dod-root-certs.pem;

  location /static/ {
    alias /etc/nginx/static/;
    expires 30d;
  }

  location / {
    proxy_pass         http://localhost:8000/;
    proxy_redirect     off;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   X-Scheme   $scheme;

    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Protocol  ssl;

    proxy_set_header   X-SSL-User-DN   $ssl_client_s_dn;
    proxy_set_header   X-SSL-Authenticated $ssl_client_verify;

    proxy_connect_timeout 60;
    proxy_read_timeout 60;
  }
}
PaulP
  • 527
  • 1
  • 7
  • 16

1 Answers1

3

This isn't possible on the server side and beyond nginx control. The nature of SSL is that it can authenticate and authorize, but it will use a session to remember it's decisions.

Think of the site as a building. Once you are authenticated using some kind of keycard you are let in and you can freely walk around. There may be areas that you need additional authorization for and your credentials provided at the entrance will be used for that.

What you are asking for is that when you drop your keycard you will be picked up instantly and removed from the building. You see the issues with that and the normal procedure is to walk out of the building, meaning a client side action. Your best bet is thus to send a logout request from the client side once the keycard is removed. This is a topic in it's own right as answered here.

Community
  • 1
  • 1