nginx.conf

server {
    listen 443 ssl;
    server_name localhost 127.0.0.1 sidecar.mtls.labbs.com.br;

    ssl_certificate         /etc/nginx/conf.d/certs/server.pem;
    ssl_certificate_key     /etc/nginx/conf.d/certs/server-key.pem;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             HIGH:!aNULL:!MD5;

    ssl_client_certificate /etc/nginx/conf.d/certs/clients-ca.pem;
    # ssl_verify_depth 1;
    ssl_verify_client on;

    location / {
        # Certificate Pinning
        set $pinning 1;
        set $allowedClientCertificateFingerprint "${ALLOWED_CERTIFICATE_FINGERPRINT}";

        # How to do IF-ELSE-AND with NGinx?
        # http://rosslawley.co.uk/archive/old/2010/01/04/nginx-how-to-multiple-if-statements/
        # variable combination

        if ($allowedClientCertificateFingerprint = "all") {
            set $pinning 0$pinning; # ALL => $pinning=01
        }

        if ($ssl_client_fingerprint != $allowedClientCertificateFingerprint) {
            set $pinning 10$pinning; # ALL => $pinning=1001 | NOT_ALL => $pinning=101
        }

        # $pinning=1 => NOT ALL AND ALLOWED
        # $pinning=101 => NOT ALL AND NOT ALLOWED
        # $pinning=1001 => ALL AND NOT ALLOWED (Doenst have effect of 403 because all suppress allow)

        if ($pinning = 101) {
            return 403;
        }
        
        proxy_ssl_server_name on;
        proxy_pass ${PROXY_PASS};
        
    }

    # location /auth_test {
    #     return 200 "
    #     $ssl_client_s_dn 
    #     $ssl_server_name
    #     $ssl_client_escaped_cert
    #     $ssl_client_cert
    #     $ssl_client_raw_cert";
    # }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}