$ssl_client_s_dn_legacy

Description

The $ssl_client_s_dn_legacy variable is populated when the NGINX server facilitates an SSL/TLS connection that requires client authentication. Specifically, it extracts the subject distinguished name (DN) of the client's certificate, which includes information such as the client's identity, organization, and country, formatted according to X.509 standards. The value is typically returned as a string where elements of the DN are represented in a textual format, such as 'C=US, ST=California, L=San Francisco, O=Example Corp, CN=example.com'. This variable is set only when the directive `ssl_verify_client` is enabled, which mandates that clients present valid SSL certificates. If the client certificate is not presented or fails verification, the variable will be empty. This can be useful for logging purposes, access control, or application logic that depends on the client's identity. Typical values can vary widely based on the client certificates used, and the format adheres to the standard DN representation. In practice, this variable can be used in different configurations for security checks, conditional processing based on client identity, or for simply logging the connection details to better audit access to a web service. For example, an application might use this variable to enforce access controls based on the client’s organization or to log client details for analytical purposes.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;

    location /protected {
        if ($ssl_client_s_dn_legacy) {
            add_header X-Client-DN $ssl_client_s_dn_legacy;
        }
    }
}