Download the PHP package zim32/cert-auth-bundle without Composer
On this page you can find all versions of the php package zim32/cert-auth-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download zim32/cert-auth-bundle
More information about zim32/cert-auth-bundle
Files in zim32/cert-auth-bundle
Package cert-auth-bundle
Short Description Two-factor x509 certificate authentication
License MIT
Homepage https://github.com/zim32/Symfony2-CertAuthBundle
Informations about the package cert-auth-bundle
Symfony2-CertAuthBundle
Integrate two-factor certificate authentication in you project.
With this bundle it is possible to easily integrate two-factor x509 based browser authentication into your project.
Basic features:
- Tightly integrated into Symfony2 firewall system (less code more security)
- Integrate it on top of any authentication method - http-basic, form-login, pre-auth etc...
- Automatic x509 certificate generation, storage and restoring
- Pluggable certificate storage system based on Persisters, Filters and Formatters (store your certificates the way you like)
- Flexible access rules: store ip, email or any custom field into client certificate and then filter by Symfony Expression Language
- Outstanding security for your customers: hacker must store user certificate, know his credentials and event then it is almost impossible to login if you will deny access by ip stored in certificate
- Since x509 ValidFrom and ValidTo fields are automatically validated by nginx or any similar server, it will automatically reduce probability of inactive accounts being your headache
How it works?
- User is logged in as usual
- User is redirected to DENY page
- User enters his secure word and click generate certificate
- Generated certificate is stored on server (localfs, db, {your_custom_storage})
- User downloads certificate and installs it into the browser
- User refreshes page and get into admin interface
- Your frontend server stack validates user certificate and pass several SERVER variables to backend
- Bundle checks this variables to grant or deny access
What if user go to another computer?
- User is logged in as usual
- System detects that he has certificate locally
- User is redirected to RESTORE page
- User enters his secure word and download certificate again
Certificates are protected by password and even your admin can not view it's content.
Contents
Installation
Configuration reference
Customize
Disable automatic certificate recovery
Run Tests
Using Command Line
How to add custom fields
Installation
Download via composer
Add bundle to your Kernel
Import routes
Generate CA certificate (if you don't have one)
Modify nginx config. Add lines in your server section:
Depenging on version of nginx you should add ssl_client_certificate /{your_app_root}/cert/CA.crt; instead of ssl_trusted_certificate, but this is not recommended option, consider updating your nginx server.
Modify your openssl config file
This bundle uses custom openssl extension section called zim_usr_cert to prevent different conflicts with your existing configurations. So add this to the end of your openss config file (on Debian /etc/ssl/openssl.cnf):
For PHP-FPM use:
For proxy pass use:
Add directory to store generated client's certificates
Add bundle configuration
Modify security config
Configuration reference
See documentation
Customize
This bundle has four templates:
- Resources/views/Denied/layout.html.twig
- Resources/views/Denied/index.html.twig
- Resources/views/Denied/restore.html.twig
- Resources/views/Denied/blocked.html.twig
Override them using Symfony Override Templates technique to add f.e. instructions how to install certificate into the browser.
Override Controller/AccessDeniedController if you need some custom logic.
Change persister to store client certificates other way then localfs (f.e. in database).
Disable automatic certificate recovery
If you want to disable certificate automatic recovery, just add this to config.yml file:
Run Tests
Using command line
You can dump client certificates and private keys using
You can remove certificate from storage
How to add custom fields
Suppose you want to add ipAddress field to your client certificates equal to current client IP and then deny access based on this field. You should do several simple steps:
- Find free OID in registry to prevent conflicts
- Add custom OID to your openssl configuration file
- Add event listener to add ipAddress field to client certificate
- Add custom expression to validate this field
Step #1
For example you choose your company OID section to be 1.3.6.1.4.1.77777. So your ipAddress field OID should be something like 1.3.6.1.4.1.77777.1 Open your openssl config file, find [new_oids] section and add the following line
Step #2
Add zim_cert.modify_csr event listener
Step #3
Create event listener
Step #4
From now on you are able to use Symfony Expression Language to deny access based on this field. Modify your config.yml:
That's all.
All versions of cert-auth-bundle with dependencies
symfony/symfony Version ~2.7
ext-openssl Version *
lib-openssl Version *