Nginx and mutual TLS/two way SSL auth per location

by

Hi

Basically i need to implement a smart card authentication to one location/file only.

I have added my CA to vhost config.

ssl_client_certificate /etc/ssl/certs/id.pem;
ssl_verify_client optional;
ssl_verify_depth 2;

Now there is a problem... How to ask for a certificate only for one location? No matter how I try, it starts asking certificate for whole site or won't ask at all.

location /auth.php {
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
try_files $uri $uri/ ;
}

I found these from google but no help for my problem

https://serverfault.com/questions/721572/nginx-verifying-client-certs-only-on-a-particular-location

https://serverfault.com/questions/327002/how-to-use-ssl-verify-client-on-on-one-virtual-server-and-ssl-verify-client-off

On apache2 its simple


SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +StdEnvVars

1 thought on “Nginx and mutual TLS/two way SSL auth per location”

  1. This code should help to enable on a particular location —

    location / {
    if ($ssl_client_verify != SUCCESS) {
    return 403;
    break;
    }
    return 200; // can be any conf
    }

    Reply

Leave a Comment