id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 400 ssl_verify_client per location basis Andrey Novikov "I want to enable client certificate authentication only for some location. Example: require certificate ONLY for certificate-based auth. {{{ server { listen 80; listen 443 ssl; server_name myapp.com; charset utf-8; root /path/to/public/dir; try_files $uri $uri/index.html; ssl_certificate /path/to/myapp/certs/myapp.pem; ssl_certificate_key /path/to/myapp/certs/myapp.key; ssl_client_certificate /path/to/myapp/certs/myapp_ca.pem; ssl_verify_depth 2; location = /user/login/certificate { ssl_verify_client on; # The application itself will check for user existance and validness by certificate # The nginx task: pass only users with valid certificates } } }}} We shouldn't require certificate from new users on all pages If user have any certificate installed in browser, then with `ssl_verify_client optional;` on first visit browser will ask user for certificate. It might scare the inexperienced user and experienced user may ask: ‘Why this site asks for my certificate?’ For now `ssl_verify_client` option allowed only in `http` and `server` scope. I suggest allow it's use in `location` scope. Current versions produces next error for above config: {{{ 2013/08/23 11:00:41 [emerg] 5500#0: ""ssl_verify_client"" directive is not allowed here in /etc/nginx/sites-enabled/myapp:15 }}} This requires the SSL rehandshake implementation in Nginx. Link: http://forum.nginx.org/read.php?29,173747,173838#msg-173838 Workarounds: using another subdomain or tricky directives (see discussions below) Discussion 1: http://forum.nginx.org/read.php?29,173747 Discussion 2: http://forum.nginx.org/read.php?10,214169 " enhancement closed minor nginx-module wontfix ssl, client, certificate auth Linux envek-work 3.8.0-29-generic #42-Ubuntu SMP Tue Aug 13 19:40:39 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.5.0 TLS SNI support enabled (A lot of modules omitted, this is `nginx-extras` package from nginx development PPA)"