1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [99s-extend] cowboy client cert auth, basic auth
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20cowboy%20client%20cert%20auth%2C%20basic%20auth&In-Reply-To=%3C5391CBB4.7060606%40ninenines.eu%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000399.html">
<LINK REL="Next" HREF="000391.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[99s-extend] cowboy client cert auth, basic auth</H1>
<B>Loïc Hoguin</B>
<A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20cowboy%20client%20cert%20auth%2C%20basic%20auth&In-Reply-To=%3C5391CBB4.7060606%40ninenines.eu%3E"
TITLE="[99s-extend] cowboy client cert auth, basic auth">essen at ninenines.eu
</A><BR>
<I>Fri Jun 6 16:09:56 CEST 2014</I>
<P><UL>
<LI>Previous message: <A HREF="000399.html">[99s-extend] cowboy client cert auth, basic auth
</A></li>
<LI>Next message: <A HREF="000391.html">[99s-extend] Mandatory init/3 and optional handle/2 and terminate/3
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#400">[ date ]</a>
<a href="thread.html#400">[ thread ]</a>
<a href="subject.html#400">[ subject ]</a>
<a href="author.html#400">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On 06/06/2014 03:59 PM, Daniel Goertzen wrote:
><i> Okay, I see how I can wrap cowboy_protocol:init() to perhaps add cert
</I>><i> information to env or stuff it in an ets table / gproc / process
</I>><i> dictionary. Is this what you mean? I think that will work for me.
</I>
Something like that, yes. Process dictionary is probably the quick and
dirty way, env would be cleaner but take more code as you then have to
move it from env to handler opts.
><i> My immediate application is to provide a secure RESTful API for a
</I>><i> network appliance. Think securing the Web of Things. I really do want
</I>><i> to get in the client's face if they don't have the right certificate.
</I>><i>
</I>><i> I'm late in saying this, but thank you for making Cowboy so easy to read
</I>><i> and understand.
</I>><i>
</I>><i> Cheers,
</I>><i> Dan.
</I>><i>
</I>><i>
</I>><i>
</I>><i> On Thu, Jun 5, 2014 at 4:24 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>> wrote:
</I>><i>
</I>><i> Misunderstood what you needed then.
</I>><i>
</I>><i> Note that the services that are completely blocked from anyone who
</I>><i> doesn't have the right cert are virtually non-existent, it doesn't
</I>><i> make sense to add a feature for it.
</I>><i>
</I>><i> You can do that kind of thing by having custom code creating the
</I>><i> protocol process by the way. There's no need to patch Cowboy for that.
</I>><i>
</I>><i>
</I>><i> On 06/05/2014 11:01 PM, Daniel Goertzen wrote:
</I>><i>
</I>><i> But then I would have to check the client cert for each and every
</I>><i> request. I should have to check the cert only once at connect
</I>><i> time and
</I>><i> then be able to pass the result of that check in the request to each
</I>><i> handler.
</I>><i>
</I>><i> Anyway I've gone ahead and implemented what I need in a generic
</I>><i> manner
</I>><i> and it seems to work well. I think it would be a useful addition to
</I>><i> Cowboy. If you agree I could write some more documentation for it.
</I>><i>
</I>><i> <A HREF="https://github.com/__goertzenator/cowboy/tree/__onconnect">https://github.com/__goertzenator/cowboy/tree/__onconnect</A>
</I>><i> <<A HREF="https://github.com/goertzenator/cowboy/tree/onconnect">https://github.com/goertzenator/cowboy/tree/onconnect</A>>
</I>><i>
</I>><i> I added a "onconnect" hook and "connection metadata" to
</I>><i> cowboy_req. The
</I>><i> connection metadata works like existing metadata, but is
</I>><i> preserved from
</I>><i> request to request on the same connection. The onconnect hook
</I>><i> provides
</I>><i> initial values for the connection metadata.
</I>><i>
</I>><i> Dan.
</I>><i>
</I>><i>
</I>><i>
</I>><i>
</I>><i> On Thu, Jun 5, 2014 at 3:04 AM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>>> wrote:
</I>><i>
</I>><i> On 06/05/2014 01:44 AM, Daniel Goertzen wrote:
</I>><i>
</I>><i>
</I>><i>
</I>><i>
</I>><i> On Wed, Jun 4, 2014 at 4:48 PM, Loïc Hoguin
</I>><i> <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>
</I>><i> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A> <mailto:<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>>>>> wrote:
</I>><i>
</I>><i> On 06/04/2014 10:08 PM, Daniel Goertzen wrote:
</I>><i>
</I>><i> I am having very good luck with Cowboy so far,
</I>><i> but I
</I>><i> have some
</I>><i> questions:
</I>><i>
</I>><i> 1. There doesn't appear to be any way to do client
</I>><i> certificate
</I>><i> authorization in Cowboy, although I see there
</I>><i> is an
</I>><i> example for
</I>><i> doing
</I>><i> exactly that with Ranch. I think I could
</I>><i> modify Cowboy
</I>><i> to do what I
</I>><i> want, but I thought I would ask if there were
</I>><i> other options
</I>><i> before doing
</I>><i> that.
</I>><i>
</I>><i>
</I>><i> Same as Ranch really, you just gotta take the
</I>><i> socket and
</I>><i> then call
</I>><i> the ssl functions.
</I>><i>
</I>><i>
</I>><i> Yes, but in cowboy there's no API to get at the socket.
</I>><i>
</I>><i>
</I>><i> There is the undocumented function cowboy_req:get/1 which
</I>><i> is meant
</I>><i> for that kind of "special" use.
</I>><i>
</I>><i>
</I>><i> --
</I>><i> Loïc Hoguin
</I>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>><i>
</I>><i>
</I>><i>
</I>><i> --
</I>><i> Loïc Hoguin
</I>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>><i>
</I>><i>
</I>
--
Loïc Hoguin
<A HREF="http://ninenines.eu">http://ninenines.eu</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000399.html">[99s-extend] cowboy client cert auth, basic auth
</A></li>
<LI>Next message: <A HREF="000391.html">[99s-extend] Mandatory init/3 and optional handle/2 and terminate/3
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#400">[ date ]</a>
<a href="thread.html#400">[ thread ]</a>
<a href="subject.html#400">[ subject ]</a>
<a href="author.html#400">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>
|
