$ssl_client_verify

Description

The variable $ssl_client_verify is set when the NGINX server is configured to use SSL client verification. This variable can take on specific values that represent the result of the client SSL certificate verification process. It can be set to 'none' if no client certificate was presented, 'off' if client verification is not enabled, and 'success' or 'failed' based on the outcome of the verification process. This functionality is part of the core NGINX SSL module, which manages secure connections and ensures that clients present valid certificates that can be validated against the trusted CA certificates configured in NGINX. When client certificate verification is enabled through directives such as "ssl_verify_client", the server uses this variable to assess whether a valid client certificate has been provided during the SSL handshake process. The verification can include checks against the certificate’s validity date, revocation status, and whether the certificate is signed by a trusted Certificate Authority (CA). Upon processing a request, NGINX sets the value of $ssl_client_verify to reflect the result, which can then be used for conditional processing or logging in configuration blocks.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/trusted_ca.crt;
    ssl_verify_client on;

    location /private {
        if ($ssl_client_verify != "success") {
            return 403;
        }
        # handle the request for authenticated clients
    }
}