From 65b9428dac5de5527ef54e968f49ed70e747a0a3 Mon Sep 17 00:00:00 2001
From: hweawer <ahusakouski@uber.com>
Date: Tue, 31 Dec 2024 10:32:13 +0100
Subject: [PATCH] Enable mTLS

---
 nginx/config/default.go | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/nginx/config/default.go b/nginx/config/default.go
index 032cff19a..e80564e0e 100644
--- a/nginx/config/default.go
+++ b/nginx/config/default.go
@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -29,15 +29,10 @@ var _nameToDefaultTemplate = map[string]string{
 // DefaultClientVerification is the default nginx configuration for
 // client verification in the server block.
 const DefaultClientVerification = `
-ssl_verify_client optional;
+ssl_verify_client on;
 set $required_verified_client 1;
-if ($scheme = http) {
-  set $required_verified_client 0;
-}
-if ($request_method ~ ^(GET|HEAD)$) {
-  set $required_verified_client 0;
-}
 if ($remote_addr = "127.0.0.1") {
+  ssl_verify_client optional;
   set $required_verified_client 0;
 }