Adaptation to Authentic 2.x for authentication and registration with belgian eID card
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
Benjamin Dauvergne f078e292dd debian: change build system 2018-12-03 15:57:39 +01:00
debian debian: change build system 2018-12-03 15:57:39 +01:00
src/authentic2_beid fix registration token pattern (#7526) 2015-06-16 12:32:01 +02:00
MANIFEST.in MANIFEST: fix path to locales 2016-01-05 15:25:59 +01:00
README doc: ciphers config fix 2015-05-22 14:56:07 +02:00
setup.py build: use include_package_data=True to get templates installed 2016-01-05 15:25:46 +01:00

README

Intro
=====

This module allows user authentication and registration using Belgian eID card.
The main idea is to redirect user on an alternative port, requiring SSL
authentication and using SSL certificate data to authenticate user.

Config
======

Urls looking for SSL data must be defined on a separate port which should be
declared in your BEID_AUTH_PORT setting(defaults to 8443).



Configure Nginx
===============

server {
        listen 8443;

        server_name example.com;

        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;

        ssl_certificate         /etc/ssl/certs/example.com.pem;
        ssl_certificate_key     /etc/ssl/private/example.com.key;
        ssl_verify_client optional_no_ca;

        location / {
                return 301 https://$host/;
        }

        location ~ ^/accounts/beid/(x509|signin|add|activate/.*) {
                proxy_pass         http://localhost:8000;
                proxy_read_timeout 600;
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $remote_addr;
                proxy_set_header X-Forwarded-SSL off;
                proxy_set_header X-Forwarded-Protocol ssl;
                proxy_set_header X-Forwarded-Proto http;
                proxy_set_header Ssl-Client-I-Dn $ssl_client_i_dn;
                proxy_set_header Ssl-Client-S-Dn $ssl_client_s_dn;
                proxy_set_header Ssl-Client-Serial $ssl_client_serial;
                proxy_set_header Ssl-Client-Cert $ssl_client_cert;
                proxy_set_header Ssl-Client-Verify $ssl_client_verify;
        }

}