Clientcertificate authentication only for a single URL

Gbg garbage at gmx.de
Mon Feb 19 15:12:23 UTC 2018



I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8

http {
    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location / {
            root /var/www/...;
        }
    }

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;

        ssl_client_certificate /.../acceptedcas.pem;
        ssl_verify_depth 2;
        ssl_verify_client on;

        location /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }
    }
}


More information about the nginx mailing list