I'm new to nginx, began using it about two months ago for a projec that requires client ssl certificate authentication where the nginx server is running on WS2008SEr2.

I have ssl headers passing OK to the web server behind nginx, but need help (PLEASE HELP) getting nginx to authenticate the client ssl certs.

On my development box, I've created my own ca.crt and ca.key, plus the web server ws.crt and ws.keys (self signed), and also the client cl.crt and cl.key (self-signed with ca.crt).

I understand that Nathan Good got nginx client ssl cert authentication to work as he published in his blog: http://blog.nategood.com/client-side-certificate-authentication-in-ngi

But there are several assumption not covered in his documentation:
1) When creating the server and client SSL certs, is does the CN (common name) parameter have to be the resolved name of the server and client host computers for the nginx client ssl cert authentication to validate (to pass VERIFIED IN $ssl_client_verify)? Currently nginx is only passing NONE in $ssl_client_verify. I specifically created my server.crt and client.crt to match their resolved host names. Googling this seems to say YES.

2) When installing a client ssl certificate to be used for client web SSL authentication, there are many possible properties to assign to the certificate's use. How do we defined those properties to ensure the our desired client.crt will be used/presented for client authentication to nginx? (and that other certificates will NOT be presented for client authentication to nginx?) My client.crt has it's property set for client authentication.

It would help me most of some who has done this could help get this part finished. It seems like it is soooo close.....

Below are some config snippets. nginx starts with no errors. ssl_client_verify always returns "none".

ssl_certificate ../cert/ep192.168.2.98.crt;
ssl_certificate_key ../cert/ep192.168.2.98.key;
ssl_client_certificate ../cert/ca.crt;
ssl_verify_client optional;
...
proxy_set_header Host $host;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header Verify $ssl_client_verify;
proxy_set_header DN $ssl_client_s_dn;

Thanks!!!
David

I've tried various combinations of burst=2, nodelay, 1r/s or 1r/m, with and without limit_conn, with and without keepalive, with and without "location /", etc... and requests are never being limited, as shown by the access.log entries below: