I have googled around and it seems like nginx does not provide a way to do client-side TLS verification based on the path. I just wanted to ask the community if this is still the case, or if there is some sort of a work around.
I am basically trying to have an admin page domain-name/admin
where accessing the public domain name requires only server-side TLS verification but I want to have mutual TLS verification only for the /admin path. Is this even possible without having to get a new domain for admin?
The reason for this is because nginx doesn't learn the path (part of the request) until after the TLS layer is set up, so it can't go back in time and change its mind about requiring a client cert.
Another work-around may be to redirect /admin to another hostname e.g.admin.domain-name (you'd need a wild-card cert), and then it should be able to enforce client certs at that level.
Otherwise if you try making the client cert optional, every client will get a dialog popup asking them to choose a client cert.