Nginx verifying client certs only on a particular location
Solution 1:
Why not to try second server block instead? Code duplication is bad but sometimes unavoidable. I assume /jsonrpc represents an API so it can use its own subdomain if not already use it:
server {
listen *:443 ssl;
server_name api.example.com;
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/client-ca.crt;
ssl_verify_client on;
location =/jsonrpc {
proxy_pass http://localhost:8282/jsonrpc-api;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
}
server {
listen *:443 ssl;
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/client-ca.crt;
ssl_verify_client off;
location / {
proxy_pass http://localhost:8282/;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
}
Solution 2:
Stumbled over this question while looking for something else.
Perhaps I misunderstood the question:
But shouldn't following work.
This has two location settings, but only one server setting.
server {
listen *:443 ssl;
server_name api.example.com;
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/client-ca.crt;
ssl_verify_client optional;
location =/jsonrpc {
if ($ssl_client_verify != "SUCCESS") { return 403; }
proxy_pass http://localhost:8282/jsonrpc-api;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
location / {
proxy_pass http://localhost:8282/;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
}