APIs need ability to set ssl_verify_client per Location
|Linux gsmethells 2.6.32-279.el6.x86_64 #1 SMP Thu Jun 21 07:08:44 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
|nginx version: nginx/1.4.1
Our API and service design requires that there be a single server on a single (TLS) port and that clients are verified but only if sending requests to "/private/*.wsgi" and not our "/api/*.wsgi" public API location. A request to allow ssl_verify_client to be set per location would solve this issue cleanly. A ticket to address it was present in ticket 317; however, the response to
is insufficient to satisfy such needs since the author makes an over-simplication that client certificates apply to an entire server and a user of nginx would never need to apply client certificate verification at a granularity below that level. While server certificates may be applied to an entire server or not, client certificates do not follow this same paradigm. It is very common for only portions of a site to require authentication.
To circumvent this feature omission, our project is currently forced to not leverage the client verification portion of the TLS protocol! Instead, the project has implemented a proprietary verification solution at the WSGI layer, which from a rigorous stand point, is non-optimal when one is already present in TLS.
Apache allows per location SSL client verification while nginx lacks this feature. I believe nginx would be greatly improved by adding this feature as well.