How to use ssl_verify_client=ON on one virtual server and ssl_verify_client=OFF on another?

I ran into a similar problem, but looking to distinguish the ssl_verify_clients between location blocks within a server block, rather than between server blocks. You could probably solve your problem by moving the default ssl config stuff into the two servers (duplicating it, sure, or put them all in one server block, accept the multiple sub-domains, and use locations).

For the location based solution, looks like the following works. Use

ssl_verify_client optional;

in the server block, and use if-statements in the various locations, eg:

if ($ssl_client_verify != SUCCESS) { return 403; }

I needed to do this to give admin access to an webapp, yet still allow webhooks from github without giving github a client ssl cert.


You need to upgrade at least to nginx >= 1.0.9 if you want to have multiple name-based virtual hosts (using SNI) on the same IP address and port, but with different ssl_verify_client settings for these hosts.

In older nginx versions the ssl_verify_client setting for the default virtual host was used for all other name-based virtual hosts on the same IP+port combination. Some other SSL options (ssl_verify_depth, ssl_prefer_server_ciphers) were also handled in the same way. Using a separate IP or port could be a workaround if you absolutely cannot upgrade.

Note from the nginx changelog for 1.0.9:

*) Bugfix: the "ssl_verify_client", "ssl_verify_depth", and
   "ssl_prefer_server_ciphers" directives might work incorrectly if SNI
   was used.

Relevant changes in the nginx source: r4034 in trunk, r4246 in the 1.0 branch.