$ssl_client_escaped_cert forward client cert in URL encoded PEM only
We use nginx as reverse proxy to a upstream endpoint which requires a client cert authentication. The proxy is configured to request a certificate from the browser and then to set a header in the proxy location block like:
The upstream server supports PEM with some restrictions:
Newlines should be replaced by space (or any whitespace)
Or alternatively only the base64 content in one row (no blanks) without BEGIN.. END CERTIFICATE sections
Manipulating the upstream server is not an option. It is not another nginx instance. Is it possible to rewrite the header before it is sent by replacing all %0d and %0a with space and URL decoding a few other characters like %2f?