Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • almalinux
  • 29-rebase-on-openresty-1-21-4-1
3 results
Compare
Forked from cnafsd / ngx_http_voms_module
59 commits behind the upstream repository.
user avatar
Merge branch 'renew-certs' into vanilla-nginx
lcappelli authored
540efe4b
History
user avatar 540efe4b
History
Name Last commit Last update
.devcontainer
docker
rpm
src
t
.clang-format
.gitignore
.gitlab-ci.yml
LICENSE
README.md
config
config.make
nginx-httpg_no_delegation.patch
test-ngx-voms.sh
README.md

ngx_http_voms_module

pipeline status

Description

ngx_http_voms_module is a module for the Nginx web server that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a Virtual Organization Membership Service (VOMS) server.

The module defines a set of embedded variables, whose values are extracted from the first Attribute Certificate found in the certificate chain.

Installation

The generic installation instructions are:

$ cd nginx-x.y.z
$ ./configure --add-module=/path/to/ngx_http_voms_module
$ make && make install

The module is written in C++, using features from C++14 that are supported by gcc v. 4.8.5 (the version available in CentOS 7) enabling the option -std=c++1y (see config.make).

A Docker image is available for use in the context of the StoRM2 project, where the OpenResty distribution is used:

$ docker run --rm -it -v /path/to/ngx_http_voms_module:/home/build/ngx_http_voms_module storm2/ngx-voms-build
$ cd openresty-x.y.z
$ ./configure ${RESTY_CONFIG_OPTIONS} --add-module=../ngx_http_voms_module
$ make && make install

Embedded Variables

The module makes the following embedded variables available for use in an Nginx configuration file:

voms_user

The Subject of the End-Entity certificate, used to sign the proxy.

Example: /C=IT/O=IGI/CN=test0

ssl_client_ee_s_dn

Like voms_user, the Subject of the End-Entity certificate. Unlike voms_user, it is available even for non-VOMS proxies and is formatted according to RFC 2253.

Example: CN=test0,O=IGI,C=IT

voms_user_ca

The Issuer (Certificate Authority) of the End-Entity certificate.

Example: /C=IT/O=IGI/CN=Test CA

ssl_client_ee_i_dn

Like voms_user_ca, the Issuer of the End-Entity certificate. Unlike voms_user_ca, it is available even for non-VOMS proxies and is formatted according to RFC 2253.

Example: CN=Test CA,O=IGI,C=IT

voms_fqans

A comma-separated list of Fully Qualified Attribute Names. See The VOMS Attribute Certificate Format for more details.

Example: /test.vo/exp1,/test.vo/exp2,/test.vo/exp3/Role=PIPPO

voms_server

The Subject of the VOMS server certificate, used to sign the Attribute Certificate.

Example: /C=IT/O=IGI/CN=voms.example

voms_server_ca

The Issuer (Certificate Authority) of the VOMS server certificate.

Example: /C=IT/O=IGI/CN=Test CA

voms_vo

The name of the Virtual Organization (VO) to which the End Entity belongs.

Example: test.vo

voms_server_uri

The hostname and port of the VOMS network service that issued the Attribute Certificate, in the form hostname :port.

Example: voms.example:15000

voms_not_before

The date before which the Attribute Certificate is not yet valid, in the form YYYYMMDDhhmmss Z.

Example: 20180101000000Z

voms_not_after

The date after which the Attribute Certificate is not valid anymore, in the form YYYYMMDDhhmmss Z.

Example: 20180101120000Z

voms_generic_attributes

A comma-separated list of attributes, each defined by three properties and formatted as n=name v=value q=qualifier. The qualifier typically coincides with the name of the VO.

Example: n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo

voms_serial

The serial number of the Attribute Certificate in hexadecimal format.

Example: 7B

Testing

Setup and files to test the ngx_http_voms_module are contained in the t folder.