only accept suigned client certs in x509 idp

SURFscz · Oct 27, 2023 · 5e972eb · 5e972eb
1 parent 45e3fc1
commit 5e972eb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/roles/surfstar-idp/templates/nginx.conf.j2 b/roles/surfstar-idp/templates/nginx.conf.j2
@@ -24,7 +24,8 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 
     include security_headers;
-    ssl_verify_client optional_no_ca;
+    ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
+    ssl_verify_client on;
     ssl_verify_depth 5;
 
     location ^~ /saml {