Skip to content

Bandwidth scanner authentication by the bwauth's web servers

Some bwauths commented that it would be nice to have some way to authenticate the bandwidth scanner requests to their Web servers to avoid MITM.

A proposal has been X509 client certificates issued by a bwauth operator to legit bwauth web servers.

A possible nginx configuration would be:

ssl_trusted_certificate /path/to/bwauth-ca.pem
ssl_verify_client optional
[snip]
if ($ssl_client_verify != SUCCESS) {
   return 403;
}

(see https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/)

The negative sides commented are the certificate expiration and renewal that could be avoided by:

  1. non-expiring certificates
  2. automated certificate replacement (ACME?)

Verbatim comments about this:

i'd personally be fine with non-expiring certificates for this purpose, though it means if anything needs revocation we'd need to manually replace entire CA (including the "ssl_trusted_certificate" on the host servers).

Running an ACME instance for this purpose seems pretty heavyweight to me.

If we're concerned about revocation, i suppose we could look into OCSP stapling for the client cert, but:

(a) i don't know how to tell nginx to require OCSP stapling for the client cert (all the stapling stuff in there is about stapling for the server cert):

https://nginx.org/en/docs/http/ngx_http_ssl_module.html

(b) i don't know whether the sbws toolchain is capable of fetching and stapling OCSP responses to its client cert.

But maybe (a) will be fine and nginx will Just Work for the client certs as long as they all have the MustStaple extension? I've never tested it.

CC @dkg, @stefani, @tjr, @gk, @mikeperry