Hi
I have a SignServer with a MariaDB database on a Debian 9 system, I have to make that when a client wants to sign a document, he is automatically assigned a signature or another according to his ip. Any idea how I could do this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am not aware of a way of doing exactly this out of the box.
However, there are some possibilities but would require some development:
1. The first that comes to mind is that there is a type of workers called Dispatchers that will not do any signing by themselves but instead send the request to an other signer based on some criteria. If there Were a Dispatcher that could choose signer based on IP address then this could have been an option. Unfortunately today dispatching can only be done based on username, time-stamping policy or to use the first active one.
2. An other idea could be to use the same worker but choose different keys for the signature. There is a component called Alias Selector that can be configured on a signer and which applies some logic to which key should be chosen. Existing implementations looks at the username or a request metadata property. The request metadata way could be used if you would like the client to decide for himself which key to use but that is probably not what you want here.
What could be developed is a new alias selector, say "RemoteAddressAliasSelector" that would be configured with a mapping from IP address to which key alias to use.
3. If you have a reverse proxy (like Apache HTTP Server or nginx) in front of SignServer you could possibly implement the logic there using mod_rewrite so that a call to /signbyip goes to either /signserver/worker/signer1 or /signserver/worker/signer2 or something like that. Not sure exactly how it would be done but at least there you would have access to the IP address and could rewrite the URL used. It could also be possible to combine with 2. and have Apache set different usernames and use the UsernameAuthorizer in SignServer but it depends on what auth method you need.
Cheers,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
I have a SignServer with a MariaDB database on a Debian 9 system, I have to make that when a client wants to sign a document, he is automatically assigned a signature or another according to his ip. Any idea how I could do this?
Hi sysmartem,
I am not aware of a way of doing exactly this out of the box.
However, there are some possibilities but would require some development:
1. The first that comes to mind is that there is a type of workers called Dispatchers that will not do any signing by themselves but instead send the request to an other signer based on some criteria. If there Were a Dispatcher that could choose signer based on IP address then this could have been an option. Unfortunately today dispatching can only be done based on username, time-stamping policy or to use the first active one.
2. An other idea could be to use the same worker but choose different keys for the signature. There is a component called Alias Selector that can be configured on a signer and which applies some logic to which key should be chosen. Existing implementations looks at the username or a request metadata property. The request metadata way could be used if you would like the client to decide for himself which key to use but that is probably not what you want here.
What could be developed is a new alias selector, say "RemoteAddressAliasSelector" that would be configured with a mapping from IP address to which key alias to use.
3. If you have a reverse proxy (like Apache HTTP Server or nginx) in front of SignServer you could possibly implement the logic there using mod_rewrite so that a call to /signbyip goes to either /signserver/worker/signer1 or /signserver/worker/signer2 or something like that. Not sure exactly how it would be done but at least there you would have access to the IP address and could rewrite the URL used. It could also be possible to combine with 2. and have Apache set different usernames and use the UsernameAuthorizer in SignServer but it depends on what auth method you need.
Cheers,
Markus