Opened 7 years ago

Closed 7 years ago

#400 closed enhancement (wontfix)

ssl_verify_client per location basis

Reported by: Andrey Novikov Owned by:
Priority: minor Milestone:
Component: nginx-module Version:
Keywords: ssl, client, certificate auth Cc:
uname -a: Linux envek-work 3.8.0-29-generic #42-Ubuntu SMP Tue Aug 13 19:40:39 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.5.0
TLS SNI support enabled
(A lot of modules omitted, this is `nginx-extras` package from nginx development PPA)

Description

I want to enable client certificate authentication only for some location.

Example: require certificate ONLY for certificate-based auth.

server {
    listen      80;
    listen      443 ssl;
    server_name myapp.com;
    charset     utf-8;
    root        /path/to/public/dir;
    try_files   $uri $uri/index.html;

    ssl_certificate        /path/to/myapp/certs/myapp.pem;
    ssl_certificate_key    /path/to/myapp/certs/myapp.key;
    ssl_client_certificate /path/to/myapp/certs/myapp_ca.pem;
    ssl_verify_depth       2;

    location = /user/login/certificate {
        ssl_verify_client on;
        # The application itself will check for user existance and validness by certificate
        # The nginx task: pass only users with valid certificates
    }
}

We shouldn't require certificate from new users on all pages
If user have any certificate installed in browser, then with ssl_verify_client optional; on first visit browser will ask user for certificate. It might scare the inexperienced user and experienced user may ask: ‘Why this site asks for my certificate?’

For now ssl_verify_client option allowed only in http and server scope. I suggest allow it's use in location scope.

Current versions produces next error for above config:

2013/08/23 11:00:41 [emerg] 5500#0: "ssl_verify_client" directive is not allowed here in /etc/nginx/sites-enabled/myapp:15

This requires the SSL rehandshake implementation in Nginx. Link: http://forum.nginx.org/read.php?29,173747,173838#msg-173838

Workarounds: using another subdomain or tricky directives (see discussions below)

Discussion 1: http://forum.nginx.org/read.php?29,173747
Discussion 2: http://forum.nginx.org/read.php?10,214169

Change History (1)

comment:1 by Maxim Dounin, 7 years ago

Resolution: wontfix
Status: newclosed

There are no plans to implement this in foreseeable future.

Note: See TracTickets for help on using tickets.