I need to secure only a single URL on my server by demanding or enforcing 
client certificate based authentication. My application is called by opening 
"myapp.local" and if necessary it logs in a user by issuing a call to 
"myapp.local/login". I can not create a second hostname to do the login, so 
specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce 
ssl_verify for `/` because then the user would be prompted with a certificate 
selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` 
definition block has higher priority. I tried to keep the example short, 
because of this you see some `...`, the ssl/tls stuff is in my config file but 
is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make 
any difference. I am on mainline 1.13.8

http {
    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location / {
            root /var/www/...;
        }
    }

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;

        ssl_client_certificate /.../acceptedcas.pem;
        ssl_verify_depth 2;
        ssl_verify_client on;

        location /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }
    }
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to