Mert Ilis

Nov 27, 2017

4 min read

Hosting ASP.NET Core 2.0 Web Api on Azure Ubuntu Server with Nginx and Mutual SSL Authentication (PART 5)

PART 5: Mutual SSL Setup for Client Authentication and Passing Client Certificate Data to Asp.Net Core App

Mutual SSL Setup for Client Authentication

/etc/ssl/ca/certs/
sudo nano /etc/nginx/sites-available/default
ssl_client_certificate /etc/ssl/ca/certs/Bundle.crt;ssl_verify_client on;ssl_verify_depth 2;
sudo nginx -t
sudo systemctl restart nginx
curl -v -k -key /etc/ssl/private/client.key -cert /etc/ssl/certs/client.crt  https://webapi.westeurope.cloudapp.azure.com/api/values

Passing Client Certificate Data to Asp.Net Core App

sudo nano /etc/nginx/sites-available/default
set_by_lua $client_cert "return ngx.var.ssl_client_raw_cert and ngx.var.ssl_client_raw_cert:gsub('\\n',' ') or nil";proxy_set_header X-Client-Cert $client_cert;
server {
listen 80;
rewrite ^ https://$host$request_uri permanent;
}
server {
listen 443 ssl;
server_name webapi.westeurope.cloudapp.azure.com;
ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_client_certificate /etc/ssl/ca/certs/Bundle.crt;
ssl_verify_client on;
ssl_verify_depth 2;
error_log /var/log/nginx/debugnginx.log debug;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
set_by_lua $client_cert "return ngx.var.ssl_client_raw_cert and ngx.var.ssl_client_raw_cert:gsub('\\n',' ') or nil";
proxy_set_header X-Client-Cert $client_cert;
proxy_cache_bypass $http_upgrade;
}
}

Reading Client Certificate from HTTP Headers in the Asp.Net Core 2.0 Web Api

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var forwardedHeadersOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.All,
RequireHeaderSymmetry = false,
ForwardLimit = null,
};
forwardedHeadersOptions.KnownNetworks.Clear();
forwardedHeadersOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardedHeadersOptions);
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseMvc();
}
Request.Headers["X-Client-Cert"]