Conditional ssl_verify_client in NGINX

I need to enable client certificate verification only for requests from outside of our intranet without verification for requests from, for example, 192.168.0.0/24. I tried to use geo module to define variable for internal subnet. In http context:

geo $intranet { 
  default 0; 
  192.168.0.0/24 1; 
}

In server context

if ($intranet != 1) { 
  ssl_verify_client on; 
}

but it is impossible to use ssl_verify_client directive inside if statement. I get an error:

"ssl_verify_client" directive is not allowed here

Is there other way to do this?

Solution 1:

Finally I found solution which works as expected.

In http context:

geo $intranet { 
  default 0; 
  192.168.0.0/23 1; 
}

In server context:

ssl_verify_client optional;

set $verify $intranet$ssl_client_verify;

if ($verify ~ (0NONE|0FAILED)) {
  return 403;
}

Why is the Application event log getting cleared every night?

LSI Megaraid: Samsung 850 Pro SSD can't modify "disk cache policy"

Speed very slow when Resync Hard disk with mdadm

Blocking, filtering or reducing "tabloid" spam (emails that bypass Spam Assasin)?

Does any PCIe slot support NVMe SSD's automatically or do I need a specific M.2 slot?

Do Docker and VirtualBox play well together on Linux? [closed]

SSL_ERROR_NO_CYPHER_OVERLAP error with signed certifcate

Creating a two-node Hyper-V failover cluster with a SAN

Windows 2016 RRAS installation initialization hangs

How to disable abbreviated SSL handshake to perform a full handshake every call on lighttpd?

DNS Policies are not properly resolving CNAMEs in Zone Scopes if the Query Resolution Policy includes the NE operator for Client Subnets

Decisions about DNS on IPv6

Conditional ssl_verify_client in NGINX

Solution 1:

Related

Recent Posts