Nginx filter client authentication

Francis Daly francis at
Fri May 18 16:41:32 UTC 2018

On Fri, May 18, 2018 at 12:59:32PM +0200, Marcello Lorenzi wrote:

Hi there,

> we're trying to configure a client certificate authentication on a Nginx
> 1.12.2 instance on our development environment, and all works fine. We
> would filter the access to a specific site with some particular client
> certificate to avoid that other certificates trusted by the same CA can
> access to this endpoint. Is it possible to configure it?

The variable $ssl_client_verify can tell you that the certificate is valid
(signed by a trusted CA, and in date). The variable $ssl_client_cert
and friends like $ssl_client_s_dn tell you the certificate contents.

If you have the list of which certificates to allow, or which to reject,
then you can use a "map" to set a reject-variable, and if that variable
is true, deny access.

Francis Daly        francis at

More information about the nginx mailing list