We are using nginx as a reverse proxy to enable a client certificate authentication for our REST API endpoints. The config is as follows:
server {
listen 443 ssl;
ssl_certificate /Users/asedov/Documents/work/ssl/openssl-scripts/ca/certs/test-backend_crt.pem;
ssl_certificate_key /Users/asedov/Documents/work/ssl/openssl-scripts/ca/private/test-backend_key.pem;
ssl_client_certificate /Users/asedov/Documents/work/ssl/openssl-scripts/ca/certs/ca_crt.pem;
ssl_verify_client optional;
ssl_verify_depth 2;
server_name localhost;
proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
location / {
proxy_pass http://127.0.0.1:8088;
}
}
The idea is to get the certificate body in the SSL_CLIENT_CERT header if a client provides a certificate. It works fine while a provided certificate is valid. Otherwise, for example if the certificate is expired, nginx responds with 400 error and doesn't proxy_pass to our backend.
I'm looking for a way to change this behavior and handle the certificate verification error to still do a proxy_pass to our API but with the empty SSL_CLIENT_CERT header. So, basically, we need nginx verify provided certificates (if provided) and set the header only in case the certificate is provided and valid.
Is it possible?
Thank you in advance!
