Nginx and mutual TLS/two way SSL auth per location


Basically i need to implement a smart card authentication to one location/file only.

I have added my CA to vhost config.

ssl_client_certificate /etc/ssl/certs/id.pem;
ssl_verify_client optional;
ssl_verify_depth 2;

Now there is a problem... How to ask for a certificate only for one location? No matter how I try, it starts asking certificate for whole site or won't ask at all.

location /auth.php {
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
try_files $uri $uri/ ;

I found these from google but no help for my problem

On apache2 its simple

SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +StdEnvVars

1 thought on “Nginx and mutual TLS/two way SSL auth per location”

  1. This code should help to enable on a particular location —

    location / {
    if ($ssl_client_verify != SUCCESS) {
    return 403;
    return 200; // can be any conf


Leave a Comment