Startika Ruby Blog

Being inspired by Dr.Nic I jumped on the idea of making a plugin to handle Client Certificate login in a rails app. But before writing a string of code i bumped into a problem with my favorite web server — nginx. Then you set up client certificates in apache, you must use the SSLRequire directive to check if the client certificate provided by the user is what you wanted to see from him. This is actually useful when you do some manual user restriction. But in the case of a app behind Apache managing logins, you can just omit this directive, pass the SSL_CLIENT_S_DN header to your script and you’re done.

But with nxing, it’s not the case. You have to use the ssl_verify_client directive to check the user’s cert. If the check passes, nginx happily forward some header to your script and everything is fine. But, if the check fails, nginx generates an error. You have the option to handle that error (actually, redirect the user somewhere), but it’s not what I want. The problem is that you can NOT redirect the user to some page in the same domain while still using https, because the certificate will be checked again and the user will find himself in an infinite loop.

Maybe I should write a patch for nginx with something like “ssl_verify_client_enforce” option to override this behavior, but I’ll leave this for later. For now I’ll try implementing a schema where the user gets to a https://domain/login page, and if the certificate check fails I’ll redirect him to http://domain/login to check his username/password. This way i can make it work no matter what server it happens to use.