I need to secure only a single URL on my server by demanding or enforcing
client certificate based authentication. My application is called by opening
"myapp.local" and if necessary it logs in a user by issuing a call to
"myapp.local/login". I can not create a second hostname to do the login, so
specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce
ssl_verify for `/` because then the user would be prompted with a certificate
selection dialog even before he can see the start page of my application.
This is my current setup which does not work because the first `server`
definition block has higher priority. I tried to keep the example short,
because of this you see some `...`, the ssl/tls stuff is in my config file but
is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make
any difference. I am on mainline 1.13.8
http {
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
include templates/ssl_setup.conf;
location / {
root /var/www/...;
}
}
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
ssl_client_certificate /.../acceptedcas.pem;
ssl_verify_depth 2;
ssl_verify_client on;
location /login {
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-...
proxy_pass http://localhost:8080;
}
}
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
