Allow webpage access with a certificate (but without the enrolling to IdM)

[adriansev]

Hi! Is there a way to allow only a given DN (or multiple DNs) access to the cockpit web gui?
Thanks a lot!

L.E. What i mean is that i would like
https://cockpit-project.org/guide/latest/cert-authentication.html

but WITHOUT "To authenticate users from a Identity Management domain, the server that Cockpit is running on must be joined to that domain"

L.L.E i mean that the authentication is done as usual with user/password but the access to the actual webpage is allowed only if DN match

[martinpitt]

There is no way to do that in general with TCP (and thus not HTTP). The (cockpit or any other http) server does not even know the DN of the machine that does a request, only its IP address. The way to do this is either to filter this on the IP level with a firewall, or filter on the TLS level with certificates. Cockpit can't do the latter, but you can put it behind a reverse proxy like nginx or apache, and configure allowed TLS client certificates that way.