question about client certs

B.R. reallfqq-nginx at yahoo.fr
Tue Feb 2 07:51:07 UTC 2016


Your question shows you need to understand how HTTP over TLS works.

TLS enciphers HTTP content, thus nothing is readable (either headers or
body).
How do you select the right certificate based on HTTP content? You can't.

Wait, Host-HTTP-Header-based certificate delivery exists, how is that
possible?
With TLS it is basically impossible, but it works though a TLS extension
called Server Name Indication (SNI). nginx docs talk about that:
http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

Now what you ask requires access to enciphered HTTP content.
Short answer: there is no way to do that, you will need to use different
servers, either using SNI (as Andreas suggested) or separate IP addresses.
---
*B. R.*

On Tue, Feb 2, 2016 at 7:05 AM, A. Schulze <sca at andreasschulze.de> wrote:

>
> Alex Samad:
>
> Is it possible with nginx to do this
>>
>> https://www.abc.com
>> /
>> /noclientcert/
>> /clientcert/
>>
>>
>> so you can get to / with no client cert, but /clientcert/ you need a
>> cert, but for /noclientcert/ you don't need a cert.
>>
>
> as far as I learned it's not possible and the usual answer
> to such feature requests is: "use different virtual hosts"
>
> Andreas
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160202/fe4f94bb/attachment.html>


More information about the nginx mailing list