$ssl_client_v_remain
$ssl_client_v_remain returns the remaining number of bytes in the SSL client's certificate chain after the current certificate. — NGINX Core (HTTP)
Description
The variable $ssl_client_v_remain is part of NGINX's SSL module and is utilized during the processing of client certificates. When a client presents a certificate for authentication, it often sends a chain of certificates. The $ssl_client_v_remain variable indicates how many bytes remain in that chain after the current certificate has been processed. This can be particularly useful when managing complex authentication scenarios where multiple certificates are involved, such as in mutual TLS (mTLS) configurations. This variable is set when the SSL handshake occurs and is accessible to server directives following successful SSL handshaking. It returns a numerical value that reflects the remainder of the certificate data that is still to be read. Typically, it could return values from zero (when all certificates have been processed) to the total length of the initial certificate chain sent by the client. For instance, if a client sends a chain of three certificates totaling 300 bytes and the first certificate (approximately 100 bytes) is processed, $ssl_client_v_remain would report 200 bytes after that point. This information allows NGINX to make informed decisions based on the configuration of the SSL server and any specified authentication requirements based on valid certificates.
Config Example
server {
listen 443 ssl;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
if ($ssl_client_v_remain > 0) {
add_header X-SSL-Client-Remain $ssl_client_v_remain;
}
}
}Subsystem
httpCacheable
YesContexts
http, server, location, ifEnsure that SSL is properly configured and enabled to use this variable; otherwise, it will not be set.
This variable will only be available after the SSL handshake is complete.
If client authentication is not enabled, this variable may return zero or an unexpected value.