Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication to webserver with client certificate would be great #39

Open
christian-redhat-test opened this issue Feb 27, 2025 · 4 comments
Open

Authentication to webserver with client certificate would be great #39

christian-redhat-test opened this issue Feb 27, 2025 · 4 comments

Comments

@christian-redhat-test
Copy link

cannot access evcc hosted behind reverse proxy with authentication via client certificate instead of user and password

Tested on android 14
@naltatis
Copy link
Member

via client certificate instead of user and password

@christian-redhat-test can you provide more details? What's your configuration. What solution would you prefer?

@marcelGoerentz
Copy link

Hey,

I would need this feature too.
Since I'm running evcc behind a reverse proxy that is checking client certificates before providing access to my applications.

That's why I need to tell the evcc app to use the client certificate installed on my smartphone.

If you need further information, just ping me. I can even answer in German if this is your preferred language.

@marcelGoerentz
Copy link

marcelGoerentz commented Mar 8, 2025
edited
Loading

One more thing, I think it should be possible to use both, the user password authentication as well as the client certificate authentication.

Also the client certificate can only be used in a TLS/SSL connection.

@christian-redhat-test
Copy link
Author

Sorry for my late answer,

I am running a publicly accessible Webserver as a reverse proxy vor some other web apps on my local network.
In my case the webserver is a Apache httpd where a is protected using some SSLRequire directives which requires the Browser to pass a macthing client certificate to the proxy.
then the apache uses the ProxyPass an ProxyPassReverse directives to pass all traffic to the destination

Here is an example of an config section for Apache httpd, but should be similar or even simplier with nginx or traefik

<VirtualHost *:8443>
# Das ist der Name des vHosts welcher gleich der Domain oder Subdomain sein sollte
Servername evcc.some.domain

<Location "/">
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 256 \
           and %{SSL_CLIENT_S_DN_L} eq "MyLocation" \
           and %{SSL_CLIENT_S_DN_ST} eq "MyState" \
           and %{SSL_CLIENT_S_DN_C} eq "DE" \
           and %{SSL_CLIENT_S_DN_O} eq "my Org" \
           and %{SSL_CLIENT_I_DN_CN} eq "my RootCA" \
           ...
           and %{SSL_CLIENT_I_DN_C} eq "DE"

    ErrorDocument 403 "<h1>system</h1> <p >Error: You need a valid client side certificate registered on this host to access this site!</p>"

    # Die Rewrites sorgen dafuer, das die Container mit websockets laufen
    # Module mod_proxy_wstunnel ist notwendig
    RewriteEngine on

    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* ws://192.168.1.7:7070%{REQUEST_URI} [P]
    ProxyPass         http://192.168.1.7:7070/
    ProxyPassReverse  http://192.168.1.7:7070/

</Location>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@naltatis @marcelGoerentz @christian-redhat-test