I would think "location=" would solve this.  What about something like the 
following?

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location = /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }

        location  / {
            root /var/www/...;
        }
    }

Jason


-----Original Message-----
From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of Gbg
Sent: Monday, February 19, 2018 9:12 AM
To: nginx@nginx.org
Subject: [IE] Clientcertificate authentication only for a single URL



I need to secure only a single URL on my server by demanding or enforcing 
client certificate based authentication. My application is called by opening 
"myapp.local" and if necessary it logs in a user by issuing a call to 
"myapp.local/login". I can not create a second hostname to do the login, so 
specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce 
ssl_verify for `/` because then the user would be prompted with a certificate 
selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` 
definition block has higher priority. I tried to keep the example short, 
because of this you see some `...`, the ssl/tls stuff is in my config file but 
is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make 
any difference. I am on mainline 1.13.8

http {
    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;
        include templates/ssl_setup.conf;

        location / {
            root /var/www/...;
        }

    }

    server {
        listen 443 ssl http2;
        server_name localhost;

        ssl_certificate ...
        ssl_certificate_key ...
        ssl_session_cache       shared:SSL:1m;

        ssl_client_certificate /.../acceptedcas.pem;
        ssl_verify_depth 2;
        ssl_verify_client on;

        location /login {
            proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
            proxy_set_header X-SSL-Client-...

            proxy_pass http://localhost:8080;
        }
    }
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be 
confidential. If you are not an intended recipient, please refrain from any 
disclosure, copying, distribution or use of this information and note that such 
actions are prohibited. If you have received this transmission in error, please 
notify by e-mail postmas...@equifax.com. Equifax® is a registered trademark of 
Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to