<div dir="ltr">Okay, I see how I can wrap cowboy_protocol:init() to perhaps add cert information to env or stuff it in an ets table / gproc / process dictionary. Is this what you mean? I think that will work for me.<div>
<br></div><div>My immediate application is to provide a secure RESTful API for a network appliance. Think securing the Web of Things. I really do want to get in the client's face if they don't have the right certificate.<br>
</div><div><br></div><div>I'm late in saying this, but thank you for making Cowboy so easy to read and understand.</div><div><br></div><div>Cheers,</div><div>Dan.</div><div><br></div></div><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Thu, Jun 5, 2014 at 4:24 PM, Loïc Hoguin <span dir="ltr"><<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Misunderstood what you needed then.<br>
<br>
Note that the services that are completely blocked from anyone who doesn't have the right cert are virtually non-existent, it doesn't make sense to add a feature for it.<br>
<br>
You can do that kind of thing by having custom code creating the protocol process by the way. There's no need to patch Cowboy for that.<div class=""><br>
<br>
On 06/05/2014 11:01 PM, Daniel Goertzen wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
But then I would have to check the client cert for each and every<br>
request. I should have to check the cert only once at connect time and<br>
then be able to pass the result of that check in the request to each<br>
handler.<br>
<br>
Anyway I've gone ahead and implemented what I need in a generic manner<br>
and it seems to work well. I think it would be a useful addition to<br>
Cowboy. If you agree I could write some more documentation for it.<br>
<br>
<a href="https://github.com/goertzenator/cowboy/tree/onconnect" target="_blank">https://github.com/<u></u>goertzenator/cowboy/tree/<u></u>onconnect</a><br>
<br>
I added a "onconnect" hook and "connection metadata" to cowboy_req. The<br>
connection metadata works like existing metadata, but is preserved from<br>
request to request on the same connection. The onconnect hook provides<br>
initial values for the connection metadata.<br>
<br>
Dan.<br>
<br>
<br>
<br>
<br>
On Thu, Jun 5, 2014 at 3:04 AM, Loïc Hoguin <<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a><br></div><div class="">
<mailto:<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>>> wrote:<br>
<br>
On 06/05/2014 01:44 AM, Daniel Goertzen wrote:<br>
<br>
<br>
<br>
<br>
On Wed, Jun 4, 2014 at 4:48 PM, Loïc Hoguin <<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a><br>
<mailto:<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>><br></div><div><div class="h5">
<mailto:<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a> <mailto:<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>>>> wrote:<br>
<br>
On 06/04/2014 10:08 PM, Daniel Goertzen wrote:<br>
<br>
I am having very good luck with Cowboy so far, but I<br>
have some<br>
questions:<br>
<br>
1. There doesn't appear to be any way to do client<br>
certificate<br>
authorization in Cowboy, although I see there is an<br>
example for<br>
doing<br>
exactly that with Ranch. I think I could modify Cowboy<br>
to do what I<br>
want, but I thought I would ask if there were other options<br>
before doing<br>
that.<br>
<br>
<br>
Same as Ranch really, you just gotta take the socket and<br>
then call<br>
the ssl functions.<br>
<br>
<br>
Yes, but in cowboy there's no API to get at the socket.<br>
<br>
<br>
There is the undocumented function cowboy_req:get/1 which is meant<br>
for that kind of "special" use.<br>
<br>
<br>
--<br>
Loïc Hoguin<br>
<a href="http://ninenines.eu" target="_blank">http://ninenines.eu</a><br>
<br>
<br>
</div></div></blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Loïc Hoguin<br>
<a href="http://ninenines.eu" target="_blank">http://ninenines.eu</a><br>
</div></div></blockquote></div><br></div>