ssl_verify_client per location basis

[Andrey Novikov]

I want to enable client certificate authentication only for some location.

Example: require certificate ONLY for certificate-based auth.

server {
    listen      80;
    listen      443 ssl;
    server_name myapp.com;
    charset     utf-8;
    root        /path/to/public/dir;
    try_files   $uri $uri/index.html;

    ssl_certificate        /path/to/myapp/certs/myapp.pem;
    ssl_certificate_key    /path/to/myapp/certs/myapp.key;
    ssl_client_certificate /path/to/myapp/certs/myapp_ca.pem;
    ssl_verify_depth       2;

    location = /user/login/certificate {
        ssl_verify_client on;
        # The application itself will check for user existance and validness by certificate
        # The nginx task: pass only users with valid certificates
    }
}

We shouldn't require certificate from new users on all pages
If user have any certificate installed in browser, then with ssl_verify_client optional; on first visit browser will ask user for certificate. It might scare the inexperienced user and experienced user may ask: ‘Why this site asks for my certificate?’

For now ssl_verify_client option allowed only in http and server scope. I suggest allow it's use in location scope.

Current versions produces next error for above config:

2013/08/23 11:00:41 [emerg] 5500#0: "ssl_verify_client" directive is not allowed here in /etc/nginx/sites-enabled/myapp:15

This requires the SSL rehandshake implementation in Nginx. Link: ​http://forum.nginx.org/read.php?29,173747,173838#msg-173838

Workarounds: using another subdomain or tricky directives (see discussions below)

Discussion 1: ​http://forum.nginx.org/read.php?29,173747
Discussion 2: ​http://forum.nginx.org/read.php?10,214169

[Maxim Dounin]

There are no plans to implement this in foreseeable future.