Various errors while configuring nginx for certificate-based client auth

lucaprete nginx-forum at
Thu Dec 5 11:51:17 UTC 2019

Hi guys,

I'm using nginx in form of container (, version
I'm trying to setup my nginx to do TLS auth and then forward packets to
another host in the network.
As part of this I also have to support some probes that continuously monitor
a secondary location, same server, same port.

This is my configuration

server {
  listen 443 ssl;
  server_name  ;

  ssl_certificate        /etc/nginx/certs/tls.crt;
  ssl_certificate_key    /etc/nginx/certs/tls.key;

  ssl_client_certificate /etc/nginx/ca_certs/ca.crt;
  ssl_verify_client      optional;
  ssl_verify_depth       2;

  location = /healthz {
    return 200 'the app is alive!';

  location = / {
    if ($ssl_client_verify != SUCCESS) {
      return 403;

    proxy_pass       http://other-host:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header SSL_Client $ssl_client_s_dn;
    proxy_set_header SSL_Client_Verify $ssl_client_verify;

First of all, as soon as I load the configuration I get the following

2019/12/05 10:22:35 [emerg] 1#1: invalid condition "!=" in
nginx: [emerg] invalid condition "!=" in /etc/nginx/conf.d/mydomain.conf:36

I find this if directive on any possible tutorial. I'm really not sure
what's wrong here...

Also, even if I remove the if clause (just to see if otherwise it would
work) I get another error:

2019/12/05 11:10:20 [emerg] 1#1: invalid number of arguments in
"proxy_set_header" directive in /etc/nginx/conf.d/mydomain.conf:41
nginx: [emerg] invalid number of arguments in "proxy_set_header" directive
in /etc/nginx/conf.d/mydomain.conf:41

Even after removing all the entire `location = /` block (to see if at least
the container starts and /healtz return 200), I still get the following

2019/12/05 11:43:30 [error] 8#8: *90 open() "/etc/nginx/html/healtz" failed
(2: No such file or directory), client:, server: , request:
"GET /healtz HTTP/1.1", host: "" - - [05/Dec/2019:11:43:30 +0000] "GET /healtz HTTP/1.1" 404 153
"-" "Wget" "-" - - [05/Dec/2019:11:43:40 +0000] "GET / HTTP/1.1" 404 153 "-"
"-" "-"

Shouldn't the return directive (as written) simply return a 200 and the
message, even if a page is not present?

Sorry if I posted in the same thread three different issues... I just
thought it would have made sense to post them together.

Thank you,


Posted at Nginx Forum:,286413,286413#msg-286413

More information about the nginx mailing list