From 7b3957b7a20f272f5d00497b139b607a93908c40 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Wed, 30 Oct 2019 13:11:28 +0100
Subject: [PATCH] nginx: berlin: Require authentication for Cuirass /admin
 routes.

* hydra/nginx/berlin.scm (berlin-locations): Require client
certificate authentication on /admin location.
(%berlin-servers): Verify client certificate optionally on
ci.guix.gnu.org.
---
 hydra/nginx/berlin.scm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
index 40a757b..2947759 100644
--- a/hydra/nginx/berlin.scm
+++ b/hydra/nginx/berlin.scm
@@ -171,6 +171,10 @@ PUBLISH-URL."
            (nginx-location-configuration
             (uri "/")
             (body (list "proxy_pass http://localhost:8081;")))
+           (nginx-location-configuration
+            (uri "~ ^/admin")
+            (body
+             (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;")))
 
            (nginx-location-configuration
             (uri "/static")
@@ -575,7 +579,11 @@ PUBLISH-URL."
        "access_log  /var/log/nginx/https.access.log;"
        "proxy_set_header X-Forwarded-Host $host;"
        "proxy_set_header X-Forwarded-Port $server_port;"
-       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;"))))
+       "proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;"
+       ;; For Cuirass admin interface authentication
+       "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;"
+       "ssl_crl /etc/ssl-ca/private/ca.crl;"
+       "ssl_verify_client optional;"))))
 
    (nginx-server-configuration
     (listen '("443 ssl"))