$ssl_client_raw_cert

Description

The $ssl_client_raw_cert variable is populated when NGINX is configured to handle SSL/TLS connections and the client presents a certificate for authentication. This variable becomes available in the context of a request being processed over an SSL connection when the 'ssl_verify_client' directive is set to 'on' or 'optional'. The raw client certificate is output as a single base64-encoded string, which can be utilized for logging, access control, or any application-specific processing that requires knowledge about the client's certificate. This variable is particularly useful in secure environments where mutual TLS (mTLS) is implemented, as it allows server administrators and application developers to impose rules based on the client's certificate, such as logging sensitive information for auditing or dynamically altering request processing based on the certificate validity or attributes. Typical values of this variable will be in base64 format, representing the client's X.509 certificate as transmitted during the SSL handshake, making it crucial for situations where identity verification across trusted entities is required. To make use of this variable in practice, NGINX may directly log the contents of the certificate or conditionally route requests based on certificate attributes (e.g., subject or issuer). Settings such as 'ssl_verify_client' need careful configuration as they can impact application security directly.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_verify_client on;

    location / {
        add_header X-Client-Cert $ssl_client_raw_cert;
        # Additional processing...
    }
}