Nginx – Append Encrypted Query Parameter to a React Application

encryptionnginxrewriteSecuritystatic-content

I want to send the DN field from the client certificate ($ssl_client_s_dn), but I want to send it encrypted.

In the question nginx append query parameter to a react application it is explained how to add a parameter to a react application using rewrite and try_files, and how to prevent the infinite rewrite redirecting loop.

But I don't know how to encrypt this variable ($ssl_client_s_dn).

My configuration file is

server {
  listen 9999 ssl default_server;
  listen [::]:9999 ssl default_server;

  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate        /keystores/mycert.crt.pem;         ## 
  ssl_certificate_key    /keystores/mycert.key.pem;         ## 
  ssl_client_certificate /keystores/.npm.certs.pem;         ## CA Bundle
  ssl_verify_client on;

  root /home/edu/my-react-app;

  index index.html;

  server_name _;

  location / {
    try_files $uri $uri/ /index.html =404;
  }

  location = /login {
    if ($arg_DN = "") {
      rewrite ^ /login?DN=$ssl_client_s_dn redirect;
    }
    try_files /index.html =404;
  }
}

Any help? Thanks

Best Answer

First I have used njs module, so I had to add to the top of the file /etc/nginx/nginx.conf these 2 lines:

load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;

I have created a small javascript file (/etc/nginx/conf.d/njs/ximo.js) that converts the variable to Base64

function dnencrypted(r) {
  var dn = r.variables.ssl_client_s_dn; //get dn
  return btoa(dn); // convert to Base64
}

export default {dnencrypted};

Now I have added references to this javascript file and the variable $dnencrypted in the second configuration file (/etc/nginx/conf.d/default.conf)

# 1. References to the javascript file and the variable
js_path "/etc/nginx/conf.d/njs";
js_import main from ximo.js;
js_set $dnencrypted main.dnencrypted;


server {
  listen 9999 ssl default_server;
  listen [::]:9999 ssl default_server;

  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate        /keystores/mycert.crt.pem;         ## 
  ssl_certificate_key    /keystores/mycert.key.pem;         ## 
  ssl_client_certificate /keystores/.npm.certs.pem;         ## CA Bundle
  ssl_verify_client on;

  root /home/edu/my-react-app;

  index index.html;

  server_name _;

  location / {
    try_files $uri $uri/ /index.html =404;
  }

  location = /login {
    # 2. Add the query param obtained with the variable form the javascript file
    if ($arg_dncncrypted = "") {
      rewrite ^ /login?dnencrypted=$dnencrypted redirect;
    }
    try_files /index.html =404;
  }
}

The obfuscation of this variable is very weak. This answer is only a general idea. Other encryption libraries must be used in order to get powerful encryption!

Related Topic