I need to secure only a single URL on my server by demanding or enforcing client certificate based authentication. My application is called by opening "myapp.local" and if necessary it logs in a user by issuing a call to "myapp.local/login". I can not create a second hostname to do the login, so specifying a second `server` with `server_name myapplogin.local` does not work.
Because the login is not necessary all the time I do not want to encorce ssl_verify for `/` because then the user would be prompted with a certificate selection dialog even before he can see the start page of my application.

This is my current setup which does not work because the first `server` definition block has higher priority. I tried to keep the example short, because of this you see some `...`, the ssl/tls stuff is in my config file but is not repeated here because I think it is not part of the problem.
Replacing `server_name localhost` with `server_name myapp.local` didn't make any difference. I am on mainline 1.13.8

http {
server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;
include templates/ssl_setup.conf;

location / {
root /var/www/...;
}
}

server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate ...
ssl_certificate_key ...
ssl_session_cache shared:SSL:1m;

ssl_client_certificate /.../acceptedcas.pem;
ssl_verify_depth 2;
ssl_verify_client on;

location /login {
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-...

proxy_pass http://localhost:8080;
}
}
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx