In most organisations, management APIs are not as visible as customer-facing traffic, yet their blast radius is far larger. A config-reload endpoint, an operations panel, or an internal admin service that is poorly protected can let a small flaw affect the whole platform. That is why settling for IP allowlists or basic auth alone tends to fall short. An mTLS model based on client certificates draws an especially strong and clear security boundary around operational interfaces.
In this guide we use Nginx as a reverse proxy and let only requests carrying a valid client certificate reach the management API.
What are we building?
The scenario is straightforward:
- An internal management API is running on the private network.
- The API is not exposed directly to the internet.
- Nginx sits in front of it.
- Calling clients carry a certificate issued by an internal CA.
This model fits well for internal tools behind a bastion, management dashboards, and the admin endpoints of platform services.
Nginx configuration
A basic example might look like this:
server {
listen 443 ssl;
server_name admin-api.internal.example;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_client_certificate /etc/nginx/tls/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
}
}The critical line here is ssl_verify_client on;. Without validating the client certificate against the CA chain, Nginx refuses to forward traffic to the upstream service.
Don’t adopt mTLS without designing the certificate lifecycle
mTLS looks technically simple, but to be sustainable the certificate lifecycle has to be designed up front. You should have clear answers to these questions:
- Who exactly is each client certificate issued to?
- How long is it valid?
- How will it be revoked if it leaks or is lost?
- How are certificates closed off when someone leaves the team?
Long-lived client certificates in particular may look fine when the system is first deployed, but over time they leave behind an invisible legacy of access.
What should the application layer enforce?
Even when Nginx validates the certificate, the application layer must not accept the incoming information blindly. At a minimum, these checks pay off:
- Is
X-Client-VerifyactuallySUCCESS? - Does the certificate subject contain the expected team or service name?
- Does the endpoint require an additional, finer-grained authorisation check?
In other words, mTLS verifies identity at the gate; the authorisation for each operation inside still belongs to the application.
Operational hardening tips
To keep this setup robust over time, a few additional steps make sense:
- Bind the management API to loopback or an internal interface only.
- Record the client DN in the Nginx access logs.
- Use a CRL or short-lived certificate model for revocation.
- Turn failed verification attempts into alert signals.
That way mTLS becomes more than an access gate; it turns into an auditable operational control.
Conclusion
Protecting a management API with mTLS on Nginx provides a far stronger model than relying on “trusted network” assumptions for internal services. Especially for platform and operations tooling, a simple validation layer driven by client certificates both strengthens security and makes access intent more readable. The hard part is not writing the configuration; it is managing the certificate lifecycle and in-application authorisation decisions with the same level of discipline.