Skip to main content
Version: 3.14.x.x LTS

Block clients with a wrong DN by using the LuaFilter

This chapter describes how to prevent clients with a "wrong" certificate from accessing your applications. In particular, we show you how to use the LuaFilter to block these clients. Here, a "wrong" client certificate means that the certificate holds a Distinguished Name (DN) which does not fit your Common Name (CN).

Previously, it was possible to use the SSLRequire parameter in combination with Apache's mod_ssl module to block clients with a "wrong" certificate. However, Apache has deprecated the SSLRequire parameter. As a replacement, you can use the nevisProxy LuaFilter, which is more flexible and powerful than the SSLRequire parameter. For instance, the SSLRequire parameter could only be applied to a connector, whereas the LuaFilter *solution can be mapped to a specific path.*Prerequisite To get the necessary TLS-related environment variables, at least configure the following settting in the navajo.xml file:

SSLOptions=+StdEnvVars

Example

This example shows how to block clients holding a certificate with the wrong DN.

  1. Create a filter of class LuaFilter according to the sample code below.
  2. Map this filter onto the desired path.

This filter prevents nevisProxy from accepting a client that does not provide a certificate with the correct DN. As a response, nevisProxy sends a 403 error to the client.

<filter>
 <filter-name>SSLRequire</filter-name>
 <filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
 <init-param>
  <param-name>Script.InputHeaderFunctionName</param-name>
  <param-value>inputHeader</param-value>
 </init-param>
 <init-param>
  <param-name>Script</param-name>
  <param-value>
  tracer = nevis.io.tracer.new("SSLRequire")
  function inputHeader(req, resp)
   if tostring(req:getEnv("SSL_CLIENT_I_DN")) ~= "/C=CH/O=Your Organization Name/OU=PROD/CN=Your Common Name"
    and tostring(req:getEnv("SSL_CLIENT_I_DN")) ~= "/C=CH/O=Yet Another Organization Name/OU=PROD/CN=Yet Another Common Name" then
    tracer:error("Forbidden request: Wrong Client DN")
    resp:send(403)
   end
  end
  </param-value>
 </init-param>
</filter>