Comments (9)
HJianBo
commented on September 12, 2024
Is it a two-way SSL connection? The %C %d parameter value is getting from the Client's Certificate.
from emqx-auth-http.
haowanxing
commented on September 12, 2024
Is it a two-way SSL connection? The
%C%dparameter value is getting from the Client's Certificate.
yes. put on my config here. only change from default conf file:
[emqx.conf]
## Path to the file containing the user's private PEM-encoded key.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: File
listener.ssl.external.keyfile = etc/certs/key.pem
## Path to a file containing the user certificate.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: File
listener.ssl.external.certfile = etc/certs/cert.pem
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## are used during server authentication and when building the client certificate chain.
##
## Value: File
listener.ssl.external.cacertfile = etc/certs/cacert.pem
## The Ephemeral Diffie-Helman key exchange is a very effective way of
## ensuring Forward Secrecy by exchanging a set of keys that never hit
## the wire. Since the DH key is effectively signed by the private key,
## it needs to be at least as strong as the private key. In addition,
## the default DH groups that most of the OpenSSL installations have
## are only a handful (since they are distributed with the OpenSSL
## package that has been built for the operating system itβs running on)
## and hence predictable (not to mention, 1024 bits only).
## In order to escape this situation, first we need to generate a fresh,
## strong DH group, store it in a file and then use the option above,
## to force our SSL application to use the new DH group. Fortunately,
## OpenSSL provides us with a tool to do that. Simply run:
## openssl dhparam -out dh-params.pem 2048
##
## Value: File
## listener.ssl.external.dhfile = etc/certs/dh-params.pem
## A server only does x509-path validation in mode verify_peer,
## as it then sends a certificate request to the client (this
## message is not sent if the verify option is verify_none).
## You can then also want to specify option fail_if_no_peer_cert.
## More information at: http://erlang.org/doc/man/ssl.html
##
## Value: verify_peer | verify_none
listener.ssl.external.verify = verify_peer
## Used together with {verify, verify_peer} by an SSL server. If set to true,
## the server fails if the client does not have a certificate to send, that is,
## sends an empty certificate.
##
## Value: true | false
listener.ssl.external.fail_if_no_peer_cert = true
[emqx_auth_http.conf]
##--------------------------------------------------------------------
## HTTP Auth/ACL Plugin
##--------------------------------------------------------------------
##------------------------------------------------------------------------------
## SSL options
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## are used during server authentication and when building the client certificate chain.
##
## Value: File
auth.http.ssl.cacertfile = etc/certs/ca.pem
## The path to a file containing the client's certificate.
##
## Value: File
auth.http.ssl.certfile = etc/certs/client-cert.pem
## Path to a file containing the client's private PEM-encoded key.
##
## Value: File
auth.http.ssl.keyfile = etc/certs/client-key.pem
##--------------------------------------------------------------------
## HTTP Request Headers
##
## Example: auth.http.header.Accept-Encoding = *
##
## Value: String
## auth.http.header.Accept = */*
##--------------------------------------------------------------------
## Authentication request.
##
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %p: sockport of server accepted
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: URL
auth.http.auth_req = http://127.0.0.1:8080/v1/mqtt/auth
## Value: post | get | put
auth.http.auth_req.method = post
## Value: Params
auth.http.auth_req.params = clientid=%c,username=%u,password=%P,commonname=%C,subject=%d,protocol=%r,ipaddress=%a
##--------------------------------------------------------------------
## Superuser request.
##
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %p: sockport of server accepted
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: URL
auth.http.super_req = http://127.0.0.1:8080/v1/mqtt/superuser
## Value: post | get | put
auth.http.super_req.method = post
## Value: Params
auth.http.super_req.params = clientid=%c,username=%u
##--------------------------------------------------------------------
## ACL request.
##
## Variables:
## - %A: 1 | 2, 1 = sub, 2 = pub
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %m: mountpoint
## - %t: topic
##
## Value: URL
auth.http.acl_req = http://127.0.0.1:8080/v1/mqtt/acl
## Value: post | get | put
auth.http.acl_req.method = post
## Value: Params
auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
##------------------------------------------------------------------------------
## Http Reqeust options
## Time-out time for the http request, 0 is never timeout.
##
## Value: Duration
## -h: hour, e.g. '2h' for 2 hours
## -m: minute, e.g. '5m' for 5 minutes
## -s: second, e.g. '30s' for 30 seconds
##
## Default: 0
## auth.http.request.timeout = 0
## Connection time-out time, used during the initial request
## when the client is connecting to the server
##
## Value: Duration
##
## Default is same with the timeout option
## auth.http.request.connect_timeout = 0
## Re-send http reuqest times
##
## Value: integer
##
## Default: 3
auth.http.request.retry_times = 3
## The interval for re-sending the http request
##
## Value: Duration
##
## Default: 1s
auth.http.request.retry_interval = 1s
## The 'Exponential Backoff' mechanism for re-sending request. The actually
## re-send time interval is `interval * backoff ^ times`
##
## Value: float
##
## Default: 2.0
auth.http.request.retry_backoff = 2.0
from emqx-auth-http.
haowanxing
commented on September 12, 2024
Here i signed new Client's Certificate. but the issue also not fix
maybe the Certicate is wrong? i really puzzled
-----BEGIN CERTIFICATE-----
MIIDzjCCAragAwIBAgIITWWCIQf8/VIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UE
BhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxETAPBgNVBAcMCENoYW95YW5nMQ8wDQYD
VQQKDAZXaXdpZGUxFjAUBgNVBAsMDVdpd2lkZSBJb3RodWIxFzAVBgNVBAMMDnd3
dy53aXdpZGUuY29tMB4XDTIwMDQyMzA1NDgwNVoXDTMwMDQyMzA1NDgwNVoweDEL
MAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxETAPBgNVBAcTCENoYW95YW5n
MRQwEgYDVQQKEwtXaXdpZGUgSW5jLjEWMBQGA1UECxMNV2l3aWRlIElvVEh1YjEW
MBQGA1UEAxMNMzZDWUZUU05IUGFiYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOS95jq9vA2/VYq/elaaCWU1pdnmDbHKAFE/Qf69kAKi97If+m2OTL8E
ORmrTI3DUPemXQItN1qE6KNv2RG5i+uWYjwrca8q5lv1lbOU9qlYEKdeTADO6ECm
TRYQAWiLXRrcgWrpgq8gpeclbAkhnjzQ47iQpIM7OjDZRWOQaxWG7Q2qXFV7WIe8
NwpPSq/82FX6ComIktZi0CWXyFWLGm9f4SmC+JXLfornH8OmC2fToVZHIE3Gd1QL
540PaIuHQJxHN5xukuKVeDrEi1+FWeYBOkZ13KOACNVvQObYwa8ebZlh4yt84oMN
cnpWxQey1xfmMj+6irOI/Px/NUKroeUCAwEAAaNgMF4wDgYDVR0PAQH/BAQDAgSQ
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFNs0W9YYJBuAt+dU95S3NekIEWwUMA0GCSqGSIb3DQEBCwUAA4IB
AQBT/YOLKe+i+WB8nM+/7t7X2KTFidy15nEzcpBz32ameQJukDDvU6D9CAtTIgMv
Nacmst1FB+diBKDnZNbUzdmAl6/97fteLXibMp+7j9wbyHe+izROCK1TQj6XB9OJ
W35rGpLdQqJ6p4KeHCCFL/k/fYLRRe3iazSoog5D0iHbeBnQ92KIswvFga3lgXkt
ATVMVUzdKCOT6O0+CyeXg4kpIyf/Yj3RdxT4Qm0XZRVKvubXttphjF+f54/2yq/b
oufxNAjYEIbT/vQQtefPPN6zvXcdq83y4MS51Om/ZH3AT3enbp5i/tavR5GztqZI
BVkVX06NzHNWGcslSk9tLvRT
-----END CERTIFICATE-----
from emqx-auth-http.
HJianBo
commented on September 12, 2024
Hi @haowanxing These confs seems impeccable. I' try it later
from emqx-auth-http.
HJianBo
commented on September 12, 2024
It was introduced at v4.0.0 from structural adjustment on emqx. I will fix it as soon as possible, Thanks for your feedback here
from emqx-auth-http.
HJianBo
commented on September 12, 2024
Hi guys, v4.1.0 has released. Plz try it later
from emqx-auth-http.
sgrigorev
commented on September 12, 2024
Hi @HJianBo! I've tried v4.1.0 and in my case %C has been replaced to "null" instead of the real CN. Could you please recheck it please?
from emqx-auth-http.
HJianBo
commented on September 12, 2024
Hi @sgrigorev Did you set the listener.ssl.external.verify = verify_peer in emqx.conf?
from emqx-auth-http.
sgrigorev
commented on September 12, 2024
@HJianBo listener.ssl.external.verify = verify_peer helped me, thank you!
from emqx-auth-http.
Related Issues (20)
- Disable ACL or Auth using docker HOT 3
- Enable passthrough of ws_cookie in acl request HOT 3
- default port 80/443 can't be ignored for version4.2.4 HOT 1
- {emqx_auth_http,{different_server,{emqx_auth_http_app,start,[normal,[]]}}} why? HOT 2
- TLS subject is always 'undefined' HOT 1
- meaning of the %r parameter HOT 1
- Cannot enable only ACL HOT 2
- EMQX HTTP Auth not working with Azure Functions HOT 2
- server_unavaliable error HOT 12
- Combine auth request with ACL for improved performance
- Client password printed in logs in plaintext HOT 1
- GET and POST method simultaneously in auth_http config file
- Problem with Kubernetes-Cluster internal service URLs authentication HOT 1
- Out-dated documentation HOT 1
- Unable to use the plugin when upgrading from 4.2.3 to 4.2.4 HOT 2
- http auth acl custom header
- EMQX HTTP not connecting to service (solved, docs need to be more firm) HOT 1
- Which ip did ipaddr get? HOT 3
- Auth and ACL Auth Api timeouts HOT 1
- Dynamic routing for mutualize broker HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emqx-auth-http.