question about client certs

B.R. reallfqq-nginx at
Tue Feb 2 07:51:07 UTC 2016

Your question shows you need to understand how HTTP over TLS works.

TLS enciphers HTTP content, thus nothing is readable (either headers or
How do you select the right certificate based on HTTP content? You can't.

Wait, Host-HTTP-Header-based certificate delivery exists, how is that
With TLS it is basically impossible, but it works though a TLS extension
called Server Name Indication (SNI). nginx docs talk about that:

Now what you ask requires access to enciphered HTTP content.
Short answer: there is no way to do that, you will need to use different
servers, either using SNI (as Andreas suggested) or separate IP addresses.
*B. R.*

On Tue, Feb 2, 2016 at 7:05 AM, A. Schulze <sca at> wrote:

> Alex Samad:
> Is it possible with nginx to do this
>> /
>> /noclientcert/
>> /clientcert/
>> so you can get to / with no client cert, but /clientcert/ you need a
>> cert, but for /noclientcert/ you don't need a cert.
> as far as I learned it's not possible and the usual answer
> to such feature requests is: "use different virtual hosts"
> Andreas
> _______________________________________________
> nginx mailing list
> nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list