Nginx-如何访问客户端证书的使用者备用名称（SAN）字段

我有一个Nginx服务器，客户端使用包含特定CN和SAN的客户端证书向客户端发出请求。我希望能够提取该客户端证书的CN（通用名称）和SAN（主题备用名称）字段。

I have an Nginx server which clients make requests to with a Client certificate containing a specific CN and SAN. I want to be able to extract the CN (Common Name) and SAN (Subject Alternative Names) fields of that client cert.

粗略示例配置：

server {
listen 443 ssl;
ssl_client_certificate /etc/nginx/certs/client.crt;
ssl_verify_client on; #400 if request without valid cert

location / {
    root    /usr/share/nginx/html;

}
location /auth_test {
    # do something with the CN and SAN.
    # tried these embedded vars so far, to no avail
    return 200 "
    $ssl_client_s_dn 
    $ssl_server_name
    $ssl_client_escaped_cert
    $ssl_client_cert
    $ssl_client_raw_cert";
}
}

使用嵌入的变量作为 ngx_http_ssl_module 模块我可以访问DN（专有名称），因此可以访问CN等，但是我似乎无法访问SAN。

Using the embedded variables exposed as part of the ngx_http_ssl_module module I can access the DN (Distinguished Name) and therefore CN etc but I don't seem to be able to get access to the SAN.

我是否缺少一些嵌入式var /其他模块/一般的Nginx foo？我可以访问原始证书，因此可以手动对其进行解码并提取出来吗？

Is there some embedded var / other module / general Nginx foo I'm missing? I can access the raw cert, so is it possible to decode that manually and extract it?

我宁愿在Nginx层上执行此操作，而不是将证书传递到应用程序层并在那里进行。

I'd really rather do this at the Nginx layer as opposed to passing the cert down to the application layer and doing it there.

非常感谢您提供的帮助。

Any help much appreciated.