I've rootCA as client certificate and servcer CA. I need to validate the clients also by their Common Name (CN). For example if the CN isn't demo.com then I'll let them in otherwise need to close the connection.
Actually I'm using nginx as sidecar proxy infront of Vernemq Pod,to terminate the tls and also doing mTLS validation. Need to implement CN based validation also.
The below http config I've tried and working fine
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
}
http {
server {
....
ssl_verify_client on;
location ~ ^/safe{
if ($ssl_client_s_dn_cn !~ "demo.com"){
return 401;
}
}
}
I need to achieve the same in stream config.
Here /localtion and if modules are not supported in stream it seems.