Hi guys!
I’ve been using nginx for a while and I’m very pleased with it’s
performance. However, I didn’t manage to setup one thing, maybe someone
has an idea…
Before using nginx, I used apache and I had a configuration similar to
the next one for certain alias, which I want to force client SSL
requirement and for other areas of the site I didn’t need that. I’ve
posted the example of apache configuration below. Is there anything
similar for this in nginx? I need to have “ssl_verify_client optional;”
in certain aliases and “ssl_verify_client on;” in 2 of my aliases.
On Wed, Aug 31, 2011 at 08:43:53AM -0400, cicovy wrote:
in certain aliases and “ssl_verify_client on;” in 2 of my aliases.
No way, ssl_verify_client may only be configured at server{} level
in nginx (as nginx neither use nor allow renegotiation of SSL/TLS
connections).
Please also note that such setups (regardless of the specific
server software used) do require renegotiation. Secure one is
only available in products less than 2 years old, see [1].
I just found out that it’s not possible to add ssl_verify_client
directive in a “location”. I received a suggestion from @kolbyjack on
the nginx IRC channel which helped me with this problem. The solution
was to deal with the $ssl_verify_client returning value.
if ($ssl_client_verify != SUCCESS) {
return 401;
break;
}
On Wed, Aug 31, 2011 at 09:58:40AM -0400, cicovy wrote:
I just found out that it’s not possible to add ssl_verify_client
directive in a “location”. I received a suggestion from @kolbyjack on
the nginx IRC channel which helped me with this problem. The solution
was to deal with the $ssl_verify_client returning value.
if ($ssl_client_verify != SUCCESS) {
return 401;
break;
}
Yes, you can set “ssl_verify_client optional” on server level and then
test $ssl_client_verify inside location.
The “break” directive is useless here.
–
Igor S.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.