1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
<tt>
<div dir="ltr">Okay, I see how I can wrap cowboy_protocol:init() to perhaps add cert information to env or stuff it in an ets table / gproc / process dictionary. Is this what you mean? I think that will work for me.<div><br>
<br></div><div>My immediate application is to provide a secure RESTful API for a network appliance. Think securing the Web of Things. I really do want to get in the client's face if they don't have the right certificate.<br><br>
</div><div><br></div><div>I'm late in saying this, but thank you for making Cowboy so easy to read and understand.</div><div><br></div><div>Cheers,</div><div>Dan.</div><div><br></div></div><div class="gmail_extra"><br><br>
<br><div class="gmail_quote">On Thu, Jun 5, 2014 at 4:24 PM, Loïc Hoguin <span dir="ltr"><<a href="mailto:[email protected]" target="_blank">[email protected]</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Misunderstood what you needed then.<br><br>
<br><br>
Note that the services that are completely blocked from anyone who doesn't have the right cert are virtually non-existent, it doesn't make sense to add a feature for it.<br><br>
<br><br>
You can do that kind of thing by having custom code creating the protocol process by the way. There's no need to patch Cowboy for that.<div class=""><br><br>
<br><br>
On 06/05/2014 11:01 PM, Daniel Goertzen wrote:<br><br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
But then I would have to check the client cert for each and every<br><br>
request. I should have to check the cert only once at connect time and<br><br>
then be able to pass the result of that check in the request to each<br><br>
handler.<br><br>
<br><br>
Anyway I've gone ahead and implemented what I need in a generic manner<br><br>
and it seems to work well. I think it would be a useful addition to<br><br>
Cowboy. If you agree I could write some more documentation for it.<br><br>
<br><br>
<a href="https://github.com/goertzenator/cowboy/tree/onconnect" target="_blank">https://github.com/<u></u>goertzenator/cowboy/tree/<u></u>onconnect</a><br><br>
<br><br>
I added a "onconnect" hook and "connection metadata" to cowboy_req. The<br><br>
connection metadata works like existing metadata, but is preserved from<br><br>
request to request on the same connection. The onconnect hook provides<br><br>
initial values for the connection metadata.<br><br>
<br><br>
Dan.<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
On Thu, Jun 5, 2014 at 3:04 AM, Loïc Hoguin <<a href="mailto:[email protected]" target="_blank">[email protected]</a><br></div><div class=""><br>
<mailto:<a href="mailto:[email protected]" target="_blank">[email protected]</a>>> wrote:<br><br>
<br><br>
On 06/05/2014 01:44 AM, Daniel Goertzen wrote:<br><br>
<br><br>
<br><br>
<br><br>
<br><br>
On Wed, Jun 4, 2014 at 4:48 PM, Loïc Hoguin <<a href="mailto:[email protected]" target="_blank">[email protected]</a><br><br>
<mailto:<a href="mailto:[email protected]" target="_blank">[email protected]</a>><br></div><div><div class="h5"><br>
<mailto:<a href="mailto:[email protected]" target="_blank">[email protected]</a> <mailto:<a href="mailto:[email protected]" target="_blank">[email protected]</a>>>> wrote:<br><br>
<br><br>
On 06/04/2014 10:08 PM, Daniel Goertzen wrote:<br><br>
<br><br>
I am having very good luck with Cowboy so far, but I<br><br>
have some<br><br>
questions:<br><br>
<br><br>
1. There doesn't appear to be any way to do client<br><br>
certificate<br><br>
authorization in Cowboy, although I see there is an<br><br>
example for<br><br>
doing<br><br>
exactly that with Ranch. I think I could modify Cowboy<br><br>
to do what I<br><br>
want, but I thought I would ask if there were other options<br><br>
before doing<br><br>
that.<br><br>
<br><br>
<br><br>
Same as Ranch really, you just gotta take the socket and<br><br>
then call<br><br>
the ssl functions.<br><br>
<br><br>
<br><br>
Yes, but in cowboy there's no API to get at the socket.<br><br>
<br><br>
<br><br>
There is the undocumented function cowboy_req:get/1 which is meant<br><br>
for that kind of "special" use.<br><br>
<br><br>
<br><br>
--<br><br>
Loïc Hoguin<br><br>
<a href="http://ninenines.eu" target="_blank">http://ninenines.eu</a><br><br>
<br><br>
<br><br>
</div></div></blockquote><div class="HOEnZb"><div class="h5"><br>
<br><br>
-- <br><br>
Loïc Hoguin<br><br>
<a href="http://ninenines.eu" target="_blank">http://ninenines.eu</a><br><br>
</div></div></blockquote></div><br></div><br>
</tt>
|