Variable Reference

$ssl_client_fingerprint

The variable $ssl_client_fingerprint represents the fingerprint of the client's SSL certificate. — NGINX Core (HTTP)

$ssl_client_fingerprint NGINX Core (HTTP)

Description

The $ssl_client_fingerprint variable is used in NGINX when SSL client authentication is enabled. It provides a unique fingerprint for the client's SSL certificate that is based on a cryptographic hash, usually generated using the SHA-1 or SHA-256 hashing algorithms. This fingerprint is derived from the certificate's data, specifically its `tbsCertificate` structure. The variable is set only when SSL client authentication is successfully performed, meaning that the server has been configured to require client certificates and the client has presented a valid certificate during the SSL handshake. Typical values of this variable will resemble a hex string format representing the hash of the client's certificate. This is useful for logging, access control, and applying additional custom logic based on client identity.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;

    location / {
        # Use the fingerprint in access logs
        access_log /var/log/nginx/access.log combined; # Redis or any other designated log format
        set $client_fp $ssl_client_fingerprint;
        if ($client_fp) {
            # More logic can be applied here based on the fingerprint
        }
    }
}

Subsystem

http

Cacheable

Yes

Contexts

http, server, location, if

Ensure that SSL client authentication is enabled; otherwise, this variable will not be set.

Be careful not to rely on this variable for authentication purposes without proper validation of the SSL handshake.

The fingerprint format may vary based on the hashing algorithm used; ensure to handle both formats (SHA-1, SHA-256) if applicable.

Related Variables

$ssl_client_cert$ssl_client_verify$ssl_protocols