Skip to main content
Version: 7.2402.x.x RR

Block clients with a wrong DN by using the LuaFilter

This chapter describes how to prevent clients with a "wrong" certificate from accessing your applications. In particular, we show you how to use the LuaFilter to block these clients. Here, a "wrong" client certificate means that the certificate holds a Distinguished Name (DN) which does not fit your Common Name (CN).

Previously, it was possible to use the SSLRequire parameter in combination with Apache's mod_ssl module to block clients with a "wrong" certificate. However, Apache has deprecated the SSLRequire parameter. As a replacement, you can use the nevisProxy LuaFilter, which is more flexible and powerful than the SSLRequire parameter. For instance, the SSLRequire parameter could only be applied to a connector, whereas the LuaFilter solution can be mapped to a specific path.

Prerequisite

To get the necessary TLS-related environment variables, at least configure the following settting in the navajo.xml file:

SSLOptions=+StdEnvVars

Example

This example shows how to block clients holding a certificate with the wrong DN.

  1. Create a filter of class LuaFilter according to the sample code below.
  2. Map this filter onto the desired path.

This filter prevents nevisProxy from accepting a client that does not provide a certificate with the correct DN. As a response, nevisProxy sends a 403 error to the client.

<filter>
<filter-name>SSLRequire</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<init-param>
<param-name>Script.InputHeaderFunctionName</param-name>
<param-value>inputHeader</param-value>
</init-param>
<init-param>
<param-name>Script</param-name>
<param-value>
tracer = nevis.io.tracer.new("SSLRequire")
function inputHeader(req, resp)
if tostring(req:getEnv("SSL_CLIENT_I_DN")) ~= "/C=CH/O=Your Organization Name/OU=PROD/CN=Your Common Name"
and tostring(req:getEnv("SSL_CLIENT_I_DN")) ~= "/C=CH/O=Yet Another Organization Name/OU=PROD/CN=Yet Another Common Name" then
tracer:error("Forbidden request: Wrong Client DN")
resp:send(403)
end
end
</param-value>
</init-param>
</filter>