Client Side Certificate Auth in Arkime
31453 edited this page Nov 17, 2020
·
1 revision
Nginx (and other web servers) can be used to provide TLS client side certificate authentication for Arkime.
Change config for nginx:
- parse out CN and Serial
- add CN as username to access log
- pass CN and Serial to Arkime (==backend)
# get CN
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "should_not_happen";
~/CN=(?<CN>[^/]+) $CN;
}
# get serial
map $ssl_client_s_dn $ssl_client_s_dn_serial {
default "should_not_happen";
~/serialNumber=(?<serialNumber>[^/]+) $serialNumber;
}
# set log format
log_format mycombined '$remote_addr $ssl_client_s_dn_cn [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 443;
ssl on;
server_name _PUT_YOUR_SERVER_NAME_HERE_;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
ssl_verify_depth 4;
proxy_set_header X-CLIENT-SSL-CN $ssl_client_s_dn_cn;
proxy_set_header X-CLIENT-SSL-Serial $ssl_client_s_dn_serial;
proxy_set_header X-CLIENT-SSL-DN $ssl_client_s_dn;
proxy_set_header X-CLIENT-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
root /var/www/;
}
location ~ ^/arkime$ {
proxy_pass http://_PUT_YOUR_Arkime_SERVER_IP_AND_PORT_HERE_;
proxy_read_timeout 600;
}
}
Change config for Arkime:
- set userNameHeader to the lower case version of the header nginx is setting.
userNameHeader=x-client-ssl-serial
Using the Arkime UI make sure the "Web Auth Header" is checked for the users.
Arkime Wiki