Need to compare client certificate CN with an entry in /etc/hosts

Francis Daly francis at
Wed Nov 27 23:07:12 UTC 2013

On Wed, Nov 27, 2013 at 12:01:16AM +0000, Radha Venkatesh (radvenka) wrote:

Hi there,

> I found the below snippet which could provide me the cn from the certificate. 

Great, now you have a variable to hold the CN that you want to do
something with.

> What would be the easiest way to compare this with an entry in /etc/hosts? Do we need an external module to do this?

I think you need some form of programming, if you want to read /etc/hosts
"live" each time -- you can try whatever language you have compiled in
to your nginx, or you can use any one of the *_pass directives to talk
to whatever you write in the language of your choice.

If you are happy to statically write the contents of /etc/hosts into
your nginx.conf, so that it is only read on startup, you could probably
do it all in config: use another "map" to check that $ssl_client_s_dn_cn
is one of your expected values:

  map $ssl_client_s_dn_cn $is_cn_in_etc_hosts {
    default	"no";
    hostname1	"yes";	"yes";

Or you could check that the matching ip address is the same as
$remote_addr, if that is what you want:

  map $ssl_client_s_dn_cn $what_ip_should_cn_have {
    default	"";
    hostname1	"";	"";

and then compare $what_ip_should_cn_have with $remote_addr.

Francis Daly        francis at

More information about the nginx mailing list