$ssl_client_cert
The variable $ssl_client_cert contains the client's SSL certificate as a PEM encoded string when SSL client verification is enabled. — NGINX Core (HTTP)
Description
The $ssl_client_cert variable is utilized when SSL client certificate verification occurs in NGINX. This variable stores the client's SSL certificate provided during the SSL handshake, formatted as a PEM encoded string. It is set to the value of the client's certificate when the 'ssl_verify_client' directive is configured to 'on' and a certificate is successfully validated. It becomes particularly useful in scenarios requiring secure communications where client identity verification is essential, such as in API services or user authentication systems. If no client certificate is provided or if the verification fails, this variable will be empty. The content of this variable can be logged, evaluated in conditional statements, or passed to backend applications if necessary. Typical uses include using the variable to authorize access based on client certificate attributes, such as the Common Name (CN) or Subject Alternative Name (SAN), thereby enhancing security at the application level. This approach is critical in services that must ensure the identity of each client in a secure manner, making use of SSL/TLS protocols.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_client_certificate /path/to/ca.pem;
ssl_verify_client on;
location / {
if ($ssl_client_cert) {
add_header X-Client-Cert $ssl_client_cert;
}
}
}Subsystem
httpCacheable
YesContexts
http, server, location, ifEnsure ssl_verify_client is set to 'on' for $ssl_client_cert to be populated.
$ssl_client_cert will be empty if the client does not present a certificate or if the verification fails.
Be cautious about logging $ssl_client_cert since it contains sensitive information.