Using Apache I created an HTTPS site that contains a folder called secure [which I want to access with user and password] and another folder called verysecure [which I want to access with certificate authentication].
When I access the site using https://www.example.com I get the default index.html file located in the root, as would be expected. When I access https://www.example.com/secure/ I provide the user and password and get the index.html file located in that folder. When I access https://www.example.com/verysecure/ the certificate popup window allows me to choose the certificate that I want to use and upon doing so I get the index.html file located in that folder.
How can I configure Nginx so that the certificate chooser pop up window comes only when I access https://www.example.com/verysecure/ and not when I access https://www.example.com/ or https://www.example.com/secure/ ?
According to this thread from official nginx development forum (update @ 2025.04.24: the nginx forum is closed, archived version, nginx-devel mailing list thread), you can't (although this thread is almost 10 years old, SSL/TLS re-handshake still doesn't supported by nginx). The only workaround suggested by Igor Sysoev is to use an optional client certificate verification
ssl_verify_client optional;
and then checking the $ssl_client_verify variable value:
location /verysecure/
if ($ssl_client_verify != SUCCESS) {
# deny client
return 403;
# or process the request on some internal location, see
# http://nginx.org/en/docs/http/ngx_http_core_module.html#internal
# rewrite ^ /internal last;
}
...
}
However using this workaround the certificate chooser window will popup (only for clients who had the correct certificate installed) on the initial TLS handshaking, not only on visiting the /verysecure/ URI.