Nginx map client certificate to REMOTE_USER for uWSGI with fallback to basic auth?
I see two possible solutions, you can either overwrite the uwsgi_param
or use $remote_user
a default value for the variable $ssl_client_s_dn_cn
.
To overwrite the uwsgi_param
(this should also work with fastcgi_param
), use the map
directive as you suggested (just remove the ";" after "}"), and use the if_not_empty
parameter for the directive:
uwsgi_param REMOTE_USER $remote_user;uwsgi_param REMOTE_USER $ssl_client_s_dn_cn if_not_empty;
$ssl_client_s_dn_cn
should override $remote_user
if present. This approach has the advantage to use the two different variable names separately elsewhere (for example, the log format).
See:http://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#uwsgi_param
To use $remote_user
as the default value for the $ssl_client_s_dn_cn
variable when defining the map
:
map $ssl_client_s_dn $ssl_client_s_dn_cn{ default $remote_user; ~/CN=(?<CN>[^/]+) $CN;}
Please note that the map
directive cannot be used at server
context, while location
should. And also note that Nginx variables cannot be overwritten.