abusesa::services: Allow restricting access based on client certificate DN

2015-06-22 13:23:22 +03:00 · 2015-06-22 13:23:22 +03:00 · 0cc9f98ab4
commit 0cc9f98ab4
parent 23a9802363
2 changed files with 8 additions and 1 deletions
--- a/abusesa/manifests/services.pp
+++ b/abusesa/manifests/services.pp
@ -1,6 +1,7 @@
 # Configure AbuseSA services.
 #
 class abusesa::services(
+  $allow_dn=undef,
  $services=[],
  $socketdir='/var/lib/abuserv/run',
 ) {
--- a/abusesa/templates/services/nginx.conf.erb
+++ b/abusesa/templates/services/nginx.conf.erb
@ -1,6 +1,6 @@
 log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
-                   '"$http_referer" "$http_user_agent"';
+                   '"$http_referer" "$http_user_agent" "$ssl_client_s_dn"';

 server {
    listen 8443;
@ -15,6 +15,12 @@ server {

    proxy_buffering off;

+<% if @allow_dn -%>
+    if ($ssl_client_s_dn != "<%= @allow_dn %>") {
+        return 403;
+    }
+
+<% end -%>
 <% @services.each do |service|
     dir, sep, sock = service.rpartition('/')
     dir = @socketdir if dir.empty?