I'm enabling client certificate authentication in Nginx with "ssl_verify_client" set to "optional_no_ca".
I'm planning to allow the requests either if it is validated successfully or if there's no client cert submitted.
Client cert Results I wish to allow are:
ssl_client_verify - SUCCESS allow
ssl_client_verify - NONE allow
ssl_client_verify - FAILED reject all failed cases
I've come up with the following two regexes to achieve the above
location / {
if ( $ssl_client_verify ~ FAILED ){return 403 "Unauthenticated";}
proxy_pass http://app;
}
(or)
location / {
if ( $ssl_client_verify ~ (SUCCESS|NONE) ){ proxy_pass http://app; }
return 403 "Unauthenticated";
}
I'm not expertized in Nginx regexes. Hence, I just wanted to review whether this regex is secure enough to reject all possible failure cases.
Is there any other better way to do this. Thanks in advance.