1

I understand I can have nginx to check client certificate before forwarding requests; something along the lines:

server {
    listen 443 ssl;

    server_name my.server.com;

    ssl_certificate     /etc/ssl/my.server.com.crt;
    ssl_certificate_key /etc/ssl/my.server.com.key;

    ssl_verify_client       on;
    ssl_trusted_certificate /etc/ssl/myca.pem;
    location / {
        ...
        proxy_pass http://my.backend.com:9999;
    }
    ...
}

Question is: can I extract certificate details (essentially client certificate Subject:CN) and use it to modify forwarded URL (e.g.: adding a fragment to it)?

If that's possible, how?

ZioByte
  • 296
  • 4
  • 17
  • If the information you need is contained in the `$ssl_client_i_dn` variable, you could extract it by using a `map`. But sending it upstream as a fragment? The fragment isn't usually sent to a server. – Richard Smith Aug 18 '20 at 18:13
  • @RichardSmith: I could use whatever, including headers or query to send info, but why You're saying "fragment isn't usually sent to a server"? It's a legitimate part of the URL; while it's routinely used to jump to specific document locations, but meaning is actually left to the implementation; am I missing something? I will look into `$ssl_client_i_dn` variable (which I completely overlooked). Thanks. – ZioByte Aug 18 '20 at 18:47
  • That should be `$ssl_client_s_dn` - it's documented [here](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables). The fragment is used by the browser (and client side JS), the browser strips it off before sending the request to the server. – Richard Smith Aug 18 '20 at 18:58

0 Answers0