question about client certs

Francis Daly francis at
Wed Feb 3 21:21:59 UTC 2016

On Wed, Feb 03, 2016 at 09:37:25AM +0100, Aleksandar Lazic wrote:
> Am 02-02-2016 23:22, schrieb Alex Samad:

Hi there,

> Cool it would be nice if you can tell us if it's works and how was
> your solution ;-)

I think that "location" does not take variables, and so this will
not work.

More below.

> >On 2 February 2016 at 20:56, Aleksandar Lazic <al-nginx at> wrote:
> >>Am 02-02-2016 04:32, schrieb Alex Samad:

> >>>Is it possible with nginx to do this
> >>>
> >>>
> >>>/
> >>>/noclientcert/
> >>>/clientcert/
> >>>
> >>>so you can get to / with no client cert, but /clientcert/ you need a
> >>>cert, but for /noclientcert/ you don't need a cert.
> >>>
> >>>Looks like from the config doco you can only set it for the
> >>>whole tree ...

Untested by me, but if you set

  ssl_verify_client optional;

and then within your

  location ^~ /clientcert/ {}

you have something like

  if ($ssl_client_verify != SUCCESS) { return 403; }

would that fit your needs?

(If the content below /clientcert/ is all handled by an external process,
then possibly it could do its own validation or verification using values
provided by nginx.)$ssl_client_verify for some details.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list