0

Is is possible to make the SSL client certificate request conditional depending on the IP range of the user with nginx?

ssl_verify_client optional always sends the request, but does not fail when no client certificate is provided. I want to make the request itself conditional.

The problem: I don't want the users within the intranet to be bothered by the browser asking for certificates, but only if they access the page from outside.

This fails:

if ($intranet != 1) { 
  ssl_verify_client on; 
}

Error:

"ssl_verify_client" directive is not allowed here
Improve this question
6
  • You could setup two server blocks, one for intranet, other for others. And use ssl_verify_client in second one.
    – Alexey Ten
    Nov 16 at 9:26
  • @AlexeyTen Yes, but that requires the user to always open the correct website. E.g. if you turn off WiFi or leave the WiFi range, you suddenly have to open another link. That is difficult to understand for the average user and does not really help with the user experience. It would be easier to turn the verification always on. For desktop computers that would be an option though.
    – Toxiro
    Nov 16 at 13:25
  • How do you detect if request is from internal network or from outside?
    – Alexey Ten
    Nov 16 at 14:55
  • @AlexeyTen serverfault.com/questions/818812/…
    – Toxiro
    Nov 17 at 15:16
  • If you have two separate network interfaces on server you could use two server blocks. One with listen 192.168.0.1; (internal IP) and second with listen 1.2.3.4; (external IP).
    – Alexey Ten
    Nov 17 at 15:28

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .