Need to compare client certificate CN with an entry in /etc/hosts

Radha Venkatesh (radvenka) radvenka at
Wed Nov 27 00:01:16 UTC 2013

I found the below snippet which could provide me the cn from the certificate. What would be the easiest way to compare this with an entry in /etc/hosts? Do we need an external module to do this?

The "map" directive with regex can be used instead of "if",
something like this:

      map  $ssl_client_s_dn  $ssl_client_s_dn_cn {
           default           "";
           ~/CN=(?<CN>[^/]+) $CN;

-----Original Message-----
From: nginx-bounces at [mailto:nginx-bounces at] On Behalf Of Francis Daly
Sent: Tuesday, November 26, 2013 3:16 PM
To: nginx at
Subject: Re: Need to compare client certificate CN with an entry in /etc/hosts

On Tue, Nov 26, 2013 at 07:19:55PM +0000, Radha Venkatesh (radvenka) wrote:

Hi there,

> An additional requirement is that we have to match the client certificate
> CN with an existing entry in /etc/hosts. What would be the simplest
> mechanism to do this? HttpPerlModule? Uwsgi?

In nginx terms, you have $remote_addr as the client IP address, and you
have the variables described in

as "things from the certificate".

I don't see CN listed there, so I suspect that whatever you do is going
to involve some extra parsing of the certificate, which probably means
something external or dynamic within nginx.conf.

The "simplest" mechanism is probably whichever one you are most familiar
with already.

Whether you use an embedded language or something external, you can make
sure to send the appropriate raw information to it, and let it decide
whether this is good or not.

You may be interested in trying as one
possibly way of communicating the success or failure state of your check
back to nginx, but it all depends on the extra code that you must write.

Good luck with it,

Francis Daly        francis at

nginx mailing list
nginx at

More information about the nginx mailing list