Pass $ssl_client_s_dn from nginx/uwsgi to flask app

Question

I'm running a Python web server with uWSGI and nginx, with the base image of tiangolo/uwsgi-nginx-flask.

I want to pass on my client certificate DN if one exists. For that I defined the following nginx.conf:

uwsgi_read_timeout 300;

ssl_certificate     /app/cert.pem;
ssl_certificate_key /app/key.pem;
ssl_password_file   /app/password.pass;

ssl_client_certificate  /app/client-ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;

include uwsgi_params;
uwsgi_param HTTP_X_DN $ssl_client_s_dn;

I want my Flask code to receive the HTTP_X_DN parameter, but cannot find how.

From looking around, I found its expected to reside in request.environ object of flask, but I don't see any such key when printing the environ content.

For reference, request.environ.keys() returns the following when sending a request via Postman:

dict_keys(['QUERY_STRING', 'REQUEST_METHOD', 'CONTENT_TYPE', 'CONTENT_LENGTH', 'REQUEST_URI', 'PATH_INFO', 'DOCUMENT_ROOT', 'SERVER_PROTOCOL', 'REQUEST_SCHEME', 'HTTPS', 'REMOTE_ADDR', 'REMOTE_PORT', 'SERVER_PORT', 'SERVER_NAME', 'HTTP_CONTENT_TYPE', 'HTTP_CACHE_CONTROL', 'HTTP_POSTMAN_TOKEN', 'HTTP_USER_AGENT', 'HTTP_ACCEPT', 'HTTP_HOST', 'HTTP_ACCEPT_ENCODING', 'HTTP_CONTENT_LENGTH', 'HTTP_CONNECTION', 'wsgi.input', 'wsgi.file_wrapper', 'wsgi.version', 'wsgi.errors', 'wsgi.run_once', 'wsgi.multithread', 'wsgi.multiprocess', 'wsgi.url_scheme', 'uwsgi.version', 'uwsgi.node', 'werkzeug.request'])

Answer 1

Apparently this was caused due to limitations of the configurations the docker image was exposing.

See https://github.com/tiangolo/uwsgi-nginx-flask-docker/issues/103

You can now completly overwrite nginx.conf, whereas previously I've only overwritten app.conf.

Anyway this is a small workaround that worked best, add this in /app/prestart.sh:

#!/usr/bin/env bash
ex -sc '%s/include uwsgi_params;/include uwsgi_params; uwsgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;/g|x' /etc/nginx/conf.d/nginx.conf