Possibility to use ssl_client_fingerprint

[KosShutenko]

What happened:

I am trying to use "$ssl_client_fingerprint" variable in my configuration. I've added annotations for my ingress:

    nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-SSL-Client-Fingerprint $ssl_client_fingerprint;

but it doesn't help.

What you expected to happen:

I want to see header X-SSL-Client-Fingerprint with client fingerprint hash.

NGINX Ingress controller version:

NGINX Ingress controller
  Release:       v1.5.1
  Build:         d003aae913cc25f375deb74f898c7f3c65c06f05
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

Kubernetes version: Server Version: v1.23.14-gke.1800

Also I've tried to use modSecurity with OWASP

I've found relevant issue but without any solution :(

How I can get ssl_client_fingerprint? Thank you for advices.

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

/remove-kind bug /kind feature /help

[k8s-ci-robot]

@longwuyuan: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/9741): >/remove-kind bug >/kind feature >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[strongjz]

Can you share what your nginx.conf looks like? I'm not sure that $ssl_client_fingerprint is getting used properly.

You can use the kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin/#conf

or

kubectl exec $INGRESS_POD -- cat /etc/nginx/nginx.conf

[KosShutenko]

Hello,

Our current nginx.conf looks like: nginx.conf.txt

I've removed part of servers sections, which not related to this test. I've added proxy_set_header X-SSL-Client-Fingerprint $ssl_client_fingerprint; for one server only.

[github-actions[bot]]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

[ryanotella]

Did you add ssl_verify_client on;?