Nginx Path-based client-side TLS verification

Keeto asked:

I have googled around and it seems like nginx does not provide a way to do client-side TLS verification based on the path. I just wanted to ask the community if this is still the case, or if there is some sort of a work around.

I am basically trying to have an admin page domain-name/admin where accessing the public domain name requires only server-side TLS verification but I want to have mutual TLS verification only for the /admin path. Is this even possible without having to get a new domain for admin?

My answer:


It’s true, nginx will only verify client certificates at least at a server level. So it’s not possible for nginx to verify certificates only for a single location.

I would suggest a workaround is to set ssl_verify_client to optional in that server block, and then check the result variable $ssl_client_verify in that location. This way, nginx will try to verify the client certificate, but will not act on the results; you have to do that yourself.

location /admin {
    if ($ssl_client_verify != "SUCCESS") {
        return 403;
    }

    ....

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.