With ssl_verify_client on in my nginx, I would expect that requests that have no client cert are denied. But they are allowed.
eg use a web browser to GET /foo/bar, response is 200 OK. I would expect it to be 401 or 403 instead. Because of course the web browser does not send the client cert with the request.
Have I configured this incorrectly? Or is there another step also required to deny these requests?
My server is api.example.com and I have a wildcard cert *.example.com. The client has provided their cert and CA cert.
server {
listen 443 default_server ssl;
server_name _;
# bundle = my cert + CA cert
ssl_certificate /etc/ssl/example.com.bundle.pem;
ssl_certificate_key /etc/ssl/example.com.key;
# bundle = other side's client cert + CA cert
# ssl_client_certificate /etc/ssl/client/client-bundle.pem;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_protocols TLSv1.2;
}
Your nginx is working as expected. The client certificate verification merely verifies the client certificates, and stores the result in
$ssl_client_verifyvariable, but doesn't deny anything by itself. It's you who should describe how nginx should allow/deny the access based on this variable value in your config, probably usingif () {}clause.