Nginx map client certificate to REMOTE_USER for uWSGI with fallback to basic auth?

Nginx 1.11 and 1.12 changed the quoting of $ssl_client_s_dn_cn.

If you come here and have headache, try this regexp instead:

map $ssl_client_s_dn $ssl_client_s_dn_cn {        default "should_not_happen";        ~CN=(?<CN>[^/,\"]+) $CN;}

I see two possible solutions, you can either overwrite the uwsgi_param or use $remote_user a default value for the variable $ssl_client_s_dn_cn.

To overwrite the uwsgi_param (this should also work with fastcgi_param), use the map directive as you suggested (just remove the ";" after "}"), and use the if_not_empty parameter for the directive:

uwsgi_param REMOTE_USER $remote_user;uwsgi_param REMOTE_USER $ssl_client_s_dn_cn if_not_empty;

$ssl_client_s_dn_cn should override $remote_user if present. This approach has the advantage to use the two different variable names separately elsewhere (for example, the log format).

See:http://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#uwsgi_param

To use $remote_user as the default value for the $ssl_client_s_dn_cn variable when defining the map:

map $ssl_client_s_dn $ssl_client_s_dn_cn{    default $remote_user;    ~/CN=(?<CN>[^/]+) $CN;}

Please note that the map directive cannot be used at server context, while location should. And also note that Nginx variables cannot be overwritten.