I am looking at options to add client-side certificate authentication with a fingerprint whitelist to a local site, and have successfully configured nginx to operate in the intended manner. My configuration is as follows:

# Client Certificate Whitelisting
map $ssl_client_fingerprint $reject {
    default 1;
    <ALLOWED_FINGERPRINT_1> 0;
    <ALLOWED_FINGERPRINT_2> 0;
    ...
    <ALLOWED_FINGERPRINT_N> 0;
}

server {
    ...
    ssl_client_certificate /etc/pki/tls/certs/Private-CA-bundle.pem;
    ssl_verify_client on; 
    ...
    if ($reject) { return 403; }
    ...
}

However, I would like to store the fingerprint list in a separate text file, rather than manipulating the nginx configuration file directly each time. Is this possible?

As a bonus, it would be great if I could modify the contents of the text file and have them take effect without reloading nginx. It is acceptable for removals to still require a service restart or other manual session teardown procedure.

---- EDIT ----

Based on the accepted answer, I was able to get this working.

The updated configuration file is:

# Client Certificate Whitelisting
map $ssl_client_fingerprint $reject {
    default 1;
    include /etc/nginx/cert-whitelist;
}

I was able to add a new certificate and apply the changes without a full service restart.

### Attempt connection with client certificate; returns 403 Forbidden
[root]# cat /run/nginx.pid 
5606
[root]# echo "${FINGERPRINT} 0;" >> /etc/nginx/cert-whitelist
[root]# kill -1 $(cat /run/nginx.pid)
[root]# cat /run/nginx.pid 
5606
### Attempt connection with client certificate; success

CodePudding user response：

The map directive has the ability to source a correctly formatted file. See this document for details.

You can use SIGHUP to re-read the configuration file without restarting Nginx. See this document for details.