56 lines
2.4 KiB
Plaintext
56 lines
2.4 KiB
Plaintext
Intro
|
|
=====
|
|
|
|
This module allows user authentication and registration using Belgian eID card.
|
|
The main idea is to redirect user on an alternative port, requiring SSL
|
|
authentication and using SSL certificate data to authenticate user.
|
|
|
|
Config
|
|
======
|
|
|
|
Urls looking for SSL data must be defined on a separate port which should be
|
|
declared in your BEID_AUTH_PORT setting(defaults to 8443).
|
|
|
|
|
|
|
|
Configure Nginx
|
|
===============
|
|
|
|
server {
|
|
listen 8443;
|
|
|
|
server_name example.com;
|
|
|
|
ssl on;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_certificate /etc/ssl/certs/example.com.pem;
|
|
ssl_certificate_key /etc/ssl/private/example.com.key;
|
|
ssl_verify_client optional_no_ca;
|
|
|
|
location / {
|
|
return 301 https://$host/;
|
|
}
|
|
|
|
location ~ ^/accounts/beid/(x509|signin|add|activate/.*) {
|
|
proxy_pass http://localhost:8000;
|
|
proxy_read_timeout 600;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-SSL off;
|
|
proxy_set_header X-Forwarded-Protocol ssl;
|
|
proxy_set_header X-Forwarded-Proto http;
|
|
proxy_set_header Ssl-Client-I-Dn $ssl_client_i_dn;
|
|
proxy_set_header Ssl-Client-S-Dn $ssl_client_s_dn;
|
|
proxy_set_header Ssl-Client-Serial $ssl_client_serial;
|
|
proxy_set_header Ssl-Client-Cert $ssl_client_cert;
|
|
proxy_set_header Ssl-Client-Verify $ssl_client_verify;
|
|
}
|
|
|
|
}
|
|
|
|
|