Adaptation to Authentic 2.x for authentication and registration with belgian eID card
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
Serghei Mihai 8faa1c9f7d replace context processor by template tag 2015-05-21 10:26:42 +02:00
debian debian: initial packaging files 2015-05-20 20:12:10 +02:00
src/authentic2_beid replace context processor by template tag 2015-05-21 10:26:42 +02:00
MANIFEST.in french locale 2015-05-20 20:12:05 +02:00
README doc update 2015-05-20 19:54:54 +02:00
setup.py initial commit 2015-05-17 15:49:43 +02:00

README

Intro
=====

This module allows user authentication and registration using Belgian eID card.
The main idea is to redirect user on an alternative port, requiring SSL
authentication and using SSL certificate data to authenticate user.

Config
======

Urls looking for SSL data must be defined on a separate port which should be
declared in your BEID_AUTH_PORT setting(defaults to 8443).



Configure Nginx
===============

server {
        listen 8443;

        server_name example.com;

        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH$
        ssl_prefer_server_ciphers on;

        ssl_certificate         /etc/ssl/certs/example.com.pem;
        ssl_certificate_key     /etc/ssl/private/example.com.key;
        ssl_verify_client optional_no_ca;

        location / {
                return 301 https://$host/;
        }

        location ~ ^/accounts/beid/(x509|signin|add|activate/.*) {
                proxy_pass         http://localhost:8000;
                proxy_read_timeout 600;
                proxy_set_header Host              $host;
                proxy_set_header X-Real-IP         $remote_addr;
                proxy_set_header X-Forwarded-For   $remote_addr;
                proxy_set_header X-Forwarded-SSL off;
                proxy_set_header X-Forwarded-Protocol ssl;
                proxy_set_header X-Forwarded-Proto http;
                proxy_set_header Ssl-Client-I-Dn $ssl_client_i_dn;
                proxy_set_header Ssl-Client-S-Dn $ssl_client_s_dn;
                proxy_set_header Ssl-Client-Serial $ssl_client_serial;
                proxy_set_header Ssl-Client-Cert $ssl_client_cert;
                proxy_set_header Ssl-Client-Verify $ssl_client_verify;
        }

}