nginx reverse proxy: with/without client cert on different path/location (same host/FQDN)

Arjan Filius iafilius at
Fri Aug 5 07:55:34 UTC 2011

Hello nginx list,

running version 0.8.54-4 9 (ubuntu 11.04)

Tried to configure nginx as reverse proxy for a wish to have client cert 
authention on a specific url-path, but i failed.

The wish is to have:
https://hostA/pathA -> no client cert       -> upstreamA
https://hostA/pathB -> client cert required -> upstreamB

I tried to configure nginx in one server definition multiple locations, 
within the locations "ssl_client_certificate  off;" in one location and 
"ssl_client_certificate  on;" in the other location. but got an error as:
011/08/05 07:54:56 [emerg] 5376#0: "ssl_client_certificate" directive is 
not allowed here in ....(file/line number)

Another way i tried, is to have 2 identical server definitions, except for 
the location and ssl_client_certificate on/off; But then i got the 
(more or less expected) error twice:
2011/08/05 07:58:43 [warn] 5392#0: conflicting server name 
"<FQDN>" on <IP>:443, ignored

my question,

is it possible what i'm trying to configure?

another question, related to this, i'd like to give the email from the 
client certificate to the backend (in a http header variabele), but found 
one way close to what i want, and that is to give the complete certificate 
($ssl_client_cert) to upstream, but that way eats much of the 4000Bytes 
max http header space..
Is there a way to set just the email from client cert?

Thanks in advance,

Arjan Filius
mailto:iafilius at

More information about the nginx mailing list