$ssl_client_escaped_cert

Description

The $ssl_client_escaped_cert variable is specifically used within the HTTP server context when HTTPS connections utilize client certificate authentication. When a client establishes a secure connection and provides a certificate, this variable captures the full details of that certificate in a format that is both URL-encoded and safely escaped for transmission. This is particularly useful for logging or passing as query parameters without introducing syntax errors in URLs. This variable is set only if client certificate verification is enabled and a valid client certificate is presented during SSL handshake. It holds the encoded content of the client's certificate, allowing server-side applications to utilize the client's identity for authorization or access control purposes. Typical values for this variable include the actual PEM-encoded certificate data, which consists of Base64-encoded certificate components wrapped between Specific PEM header and footer lines. If no client certificate is presented, this variable is empty. In combination with other SSL-related variables, such as $ssl_client_cert and $ssl_client_verify, the $ssl_client_escaped_cert provides a comprehensive mechanism for managing client verification within secure environments, catering to scenarios that require not just identity verification but safe transmission of certificate data for further processing.

Config Example

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/client_ca.crt;
    ssl_verify_client on;

    location /secure-data {
        add_header X-Client-Cert "$ssl_client_escaped_cert";
    }
}