Chapter 5[ 93 ]Instead of passing the whole client certificate to the upstream server, NGINX can do
some work ahead of time to see if the client is even valid. A valid client SSL certificate
is one which has been signed by a recognized Certificate Authority, has a validity date
in the future, and has not been revoked:
server {
...ssl_client_certificate /usr/local/etc/nginx/ClientCertCAs.pem;ssl_crl /usr/local/etc/nginx/ClientCertCRLs.crl;ssl_verify_client on;ssl_verify_depth 3;error_page 495 = @noverify;error_page 496 = @nocert;location @noverify {proxy_pass http://insecure?status=notverified;}location @nocert {proxy_pass http://insecure?status=nocert;}location / {if ($ssl_client_verify = FAILED) {return 495;}proxy_pass http://secured;}}