mirror of
git://git.savannah.gnu.org/guix/maintenance.git
synced 2023-12-14 03:33:04 +01:00
nginx: berlin: Require authentication for Cuirass /admin routes.
* hydra/nginx/berlin.scm (berlin-locations): Require client certificate authentication on /admin location. (%berlin-servers): Verify client certificate optionally on ci.guix.gnu.org.
This commit is contained in:
parent
16c4bd7162
commit
7b3957b7a2
1 changed files with 9 additions and 1 deletions
|
@ -171,6 +171,10 @@ PUBLISH-URL."
|
|||
(nginx-location-configuration
|
||||
(uri "/")
|
||||
(body (list "proxy_pass http://localhost:8081;")))
|
||||
(nginx-location-configuration
|
||||
(uri "~ ^/admin")
|
||||
(body
|
||||
(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;")))
|
||||
|
||||
(nginx-location-configuration
|
||||
(uri "/static")
|
||||
|
@ -575,7 +579,11 @@ PUBLISH-URL."
|
|||
"access_log /var/log/nginx/https.access.log;"
|
||||
"proxy_set_header X-Forwarded-Host $host;"
|
||||
"proxy_set_header X-Forwarded-Port $server_port;"
|
||||
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))))
|
||||
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
|
||||
;; For Cuirass admin interface authentication
|
||||
"ssl_client_certificate /etc/ssl-ca/certs/ca.crt;"
|
||||
"ssl_crl /etc/ssl-ca/private/ca.crl;"
|
||||
"ssl_verify_client optional;"))))
|
||||
|
||||
(nginx-server-configuration
|
||||
(listen '("443 ssl"))
|
||||
|
|
Loading…
Reference in a new issue