$ssl_client_escaped_cert forward client cert in URL encoded PEM only

Lyubenov, Branimir branimir.lyubenov at sap.com
Mon Jul 13 13:59:18 UTC 2020

Hello team,
We use nginx as reverse proxy to a upstream endpoint which requires a client cert authentication. The proxy is configured to request a certificate from the browser and then to set a header in the proxy location block like:
proxy_set_header SSL_CLIENT_CERT $ssl_client_escaped_cert;

The upstream server supports PEM with some restrictions:

  1.  Newlines should be replaced by space (or any whitespace)
  2.  Or alternatively only the base64 content in one row (no blanks) without BEGIN.. END CERTIFICATE sections

Manipulating the upstream server is not an option. It is not another nginx instance. Is it possible to rewrite the header before it is sent by replacing all %0d and %0a with space and URL decoding a few other characters like %2f?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200713/e361aae8/attachment.htm>

More information about the nginx mailing list