You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- <key> can be either a string or a variable name (See also "<span class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">set-var<span class="caret"></span></a><ul class="dropdown-menu"><li class="dropdown-header">This keyword is available in sections :</li><li><a href="#set-var%20%28Process%20management%20and%20security%29">Process management and security</a></li><li><a href="#set-var%20%28Alphabetically%20sorted%20actions%20reference%29">Alphabetically sorted actions reference</a></li><li><a href="#set-var%20%28Converters%29">Converters</a></li></ul></span>") that
24743
-
holds a secret, a public key path or a certificate path.
24748
+
holds a secret or a public key path.
24744
24749
24745
24750
Secrets are only applicable when using HMAC algorithms.
24746
24751
24747
24752
Public keys must be in either the PKCS#1 format (for RSA keys, starting
24748
24753
with BEGIN RSA PUBLIC KEY) or SPKI format (Subject Public Key Info,
24749
24754
starting with BEGIN PUBLIC KEY). Public keys must be available during the
24750
-
configuration parsing and cannot be updated or loaded at runtime unlike
24755
+
configuration parsing and cannot be updated or loaded at runtime. See
24756
+
"<a href="#jwt_verify_cert">jwt_verify_cert</a>" converter for JWT token validation based on full-on PEM
24751
24757
certificates.
24752
24758
24753
-
Certificates must be standard PEM certificates (starting with BEGIN
24754
-
CERTIFICATE). When using a certificate its path can be passed directly to
24755
-
the converter or referenced via a variable. Certificates can be either
24756
-
declared in a crt-store, or dynamically loaded via the stats socket.
24759
+
All the public keys that might be used to verify JWTs must be known during
24760
+
init in order to be added into a dedicated cache so that no disk access is
24761
+
required during runtime.
24757
24762
24758
-
All the public keys and certificates that might be used to verify JWTs must
24759
-
be known during init in order to be added into a dedicated cache so that no
24760
-
disk access is required during runtime.
24763
+
Returns 1 in case of verification success, 0 in case of verification failure
24764
+
and a strictly negative value for any other error. Because of all those
24765
+
non-null error return values, the result of this converter should never be
24766
+
converted to a boolean. See below for a full list of the possible return
This converter only verifies the signature of the token and does not perform
24801
+
a full JWT validation as specified in <a href="#7.2">section 7.2</a> of RFC7519. We do not
24802
+
ensure that the header and payload contents are fully valid JSONs once
24803
+
decoded for instance, and no checks are performed regarding their respective
24804
+
contents.
24805
+
24806
+
- <alg> can be either a string or a variable name (See also "<span class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">set-var<span class="caret"></span></a><ul class="dropdown-menu"><li class="dropdown-header">This keyword is available in sections :</li><li><a href="#set-var%20%28Process%20management%20and%20security%29">Process management and security</a></li><li><a href="#set-var%20%28Alphabetically%20sorted%20actions%20reference%29">Alphabetically sorted actions reference</a></li><li><a href="#set-var%20%28Converters%29">Converters</a></li></ul></span>") that
24807
+
holds the name of the algorithm used to verify. Unlike the "<a href="#jwt_verify">jwt_verify</a>"
24808
+
converter, this converter only expects a certificate as second parameter so
24809
+
it should not be used for tokens using HMAC algorithms.
24810
+
24811
+
Algorithms mentioned in <a href="#3.1">section 3.1</a> of RFC7518 are managed (apart from HMAC
- <key> can be either a string or a variable name (See also "<span class="dropdown"><a class="dropdown-toggle" data-toggle="dropdown" href="#">set-var<span class="caret"></span></a><ul class="dropdown-menu"><li class="dropdown-header">This keyword is available in sections :</li><li><a href="#set-var%20%28Process%20management%20and%20security%29">Process management and security</a></li><li><a href="#set-var%20%28Alphabetically%20sorted%20actions%20reference%29">Alphabetically sorted actions reference</a></li><li><a href="#set-var%20%28Converters%29">Converters</a></li></ul></span>") that
24831
+
holds a certificate path.
24832
+
24833
+
Certificates must be standard PEM certificates (starting with BEGIN
24834
+
CERTIFICATE). Their path can be passed directly to the converter or
24835
+
referenced via a variable. If a variable is used, the corresponding
24836
+
certificates can either be declared in a crt-store or dynamically loaded
24837
+
via the stats socket.
24838
+
When a path is given directly, if the corresponding certificate was not
24839
+
loaded yet in the internal certificate store, it will be loaded during
24840
+
configuration parsing and it thus must already exist otherwise an error
24841
+
will be raised.
24842
+
24843
+
Only certificates that are explicitly defined as usable for JWT validation
24844
+
can be used. See "<a href="#jwt">jwt</a>" crt-store option.
24761
24845
24762
24846
It is possible to update certificates dynamically and add new certificates
24763
24847
using the stats socket. See also "set ssl cert" and "new ssl cert" in the
</div><a class="anchor" name="language"></a><a class="anchor" name="7-language"></a><a class="anchor" name="7.3.1-language"></a><a class="anchor" name="language (Using ACLs and fetching samples)"></a><a class="anchor" name="language (Converters)"></a><div class="keyword"><b><a class="anchor" name="language"></a><a href="#7.3.1-language">language</a></b>(<span style="color: #080"><value></span><span style="color: #008">[,<span style="color: #080"><default></span>]</span>)</div><pre class="text">Returns the value with the highest q-factor from a list as extracted from the
24800
24885
"accept-language" header using "<a href="#req.fhdr">req.fhdr</a>". Values with no q-factor have a
A more precise error message might also be displayed between parenthesis
33288
33373
after the "generic" error message. It can happen for "OCSP response check
33289
33374
failure" or "Error during insertion" errors.
33375
+
</pre><a class="anchor" name="jwt"></a><a class="anchor" name="12-jwt"></a><a class="anchor" name="12.7.1-jwt"></a><a class="anchor" name="jwt (Other sections)"></a><a class="anchor" name="jwt (Load options)"></a><div class="keyword"><b><a class="anchor" name="jwt"></a><a href="#12.7.1-jwt">jwt</a></b> <span style="color: #008">[ off | on ]</span></div><pre class="text">Allow for this certificate to be used for JWT validation via the
33376
+
"<a href="#jwt_verify_cert">jwt_verify_cert</a>" converter when set to 'on'. Its value default to 'off'.
33377
+
33378
+
When set to 'on' for a given certificate, the CLI command "del ssl cert" will
33379
+
not work. In order to be deleted, a certificate must not be used, either for
33380
+
SSL handshakes or JWT validation.
33381
+
33382
+
This option can be changed during runtime via the "add ssl jwt" and "del ssl
33383
+
jwt" CLI commands. See also "show ssl jwt" CLI command.
0 commit comments