From 0cc9f98ab48a4eddcbc7c9f3ff065d0e604fe601 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Mon, 22 Jun 2015 13:23:22 +0300
Subject: [PATCH] abusesa::services: Allow restricting access based on client
 certificate DN

---
 abusesa/manifests/services.pp             | 1 +
 abusesa/templates/services/nginx.conf.erb | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp
index 96269b8..1109d16 100644
--- a/abusesa/manifests/services.pp
+++ b/abusesa/manifests/services.pp
@@ -1,6 +1,7 @@
 # Configure AbuseSA services.
 #
 class abusesa::services(
+  $allow_dn=undef,
   $services=[],
   $socketdir='/var/lib/abuserv/run',
 ) {
diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb
index f0486b4..227bd1a 100644
--- a/abusesa/templates/services/nginx.conf.erb
+++ b/abusesa/templates/services/nginx.conf.erb
@@ -1,6 +1,6 @@
 log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
-                   '"$http_referer" "$http_user_agent"';
+                   '"$http_referer" "$http_user_agent" "$ssl_client_s_dn"';
 
 server {
     listen 8443;
@@ -15,6 +15,12 @@ server {
 
     proxy_buffering off;
 
+<% if @allow_dn -%>
+    if ($ssl_client_s_dn != "<%= @allow_dn %>") {
+        return 403;
+    }
+
+<% end -%>
 <% @services.each do |service|
      dir, sep, sock = service.rpartition('/')
      dir = @socketdir if dir.empty?