ssl_verify_client
The `ssl_verify_client` directive configures whether NGINX should request and verify a client's SSL certificate.
Description
The ssl_verify_client directive is used within the NGINX configuration to specify the verification of client SSL certificates during the SSL handshake. When enabled, this directive will cause NGINX to request a certificate from the client, and based on an on, off, or optional setting, it will either enforce the confirmation of a valid certificate or let the client proceed if they do not provide one. This is particularly useful in scenarios requiring increased security, where mutual TLS (mTLS) is deployed to authenticate clients based on certificates.
The directive accepts a single argument:
- on: Requires the client to provide a valid certificate, failing if the client cannot do so.
- off: Does not request a client certificate and ignores client certificates for authentication purposes.
- optional: Requests a client certificate but allows access even if the client does not provide one. If a client certificate is provided, it will be verified.
This level of control allows administrators to fine-tune security policies for different endpoints within an NGINX server environment. It is critical to pair the use of this directive with properly configured CA and certificate files to avoid security loopholes and ensure the proper functioning of mTLS.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
}Ensure the CA certificate used for client verification is correctly set with ssl_client_certificate.
Using optional without a proper client certificate may lead to unauthorized access if not thoughtfully managed.
Make sure the SSL settings are correctly defined to support client certificate authentication. Suboptimal settings can prevent successful verification.