How to add checks for multiple specific ssl_client_fingerprints in Nginx configuration?

Question

In addition to usual CA chain validation, I would like Nginx server section to permit specific client certificate thumbprints only.

I could find how to check for single fingerprint, but I'm not sure how to combine multiple fingerprints because Nginx does not support or, and map is not allowed inside server sections.

So, now I have an ugly workaround like this:

    ssl_client_certificate /usr/local/share/ca-certificates/trusted_chain.pem;
    ssl_verify_client on;
    ssl_verify_depth 3;

    if ( $ssl_client_fingerprint = "12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a1" ) {
        set $whiteclient 1;
    }
    if ( $ssl_client_fingerprint = "12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a2" ) {
        set $whiteclient 1;
    }
    if ( $ssl_client_fingerprint = "12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a3" ) {
        set $whiteclient 1;
    }
    if ( $whiteclient != 1 ) {
         return 403;
    }

Is there any nicer way to do this?

score 0 · Answer 1 · answered Nov 15 '21 at 17:05

NGINX supports regex matching within if conditions so you can do the following:

if ($ssl_client_fingerprint !~ "12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a1|12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a2|12a4f0abc935cc0dd0f6fdcc0d56682d7f5c15a3") {
  return 403
}

Obviously this line could get rather long but dependant on taste/use case it may be preferable.

How to add checks for multiple specific ssl_client_fingerprints in Nginx configuration?

1 Answers1