1. Caddy version:
2.6.2
2. How I installed, and run Caddy:
with docker
a. System environment:
b. Command:
docker compose build --pull --no-cache
docker compose up --detach
c. Service/unit/compose file:
# Build Caddy with the Mercure and Vulcain modules
FROM caddy:2.6-builder-alpine AS app_caddy_builder
RUN xcaddy build \
--with github.com/dunglas/mercure \
--with github.com/dunglas/mercure/caddy \
--with github.com/dunglas/vulcain \
--with github.com/dunglas/vulcain/caddy
# Caddy image
FROM caddy:2.6-alpine AS app_caddy
RUN apk add --no-cache \
nss-tools \
;
WORKDIR /srv/app
COPY --from=app_caddy_builder --link /usr/bin/caddy /usr/bin/caddy
COPY --from=app_php --link /srv/app/public public/
COPY --link docker/caddy/Caddyfile /etc/caddy/Caddyfile
d. My complete Caddy config:
{
# Debug
{$CADDY_DEBUG}
}
{$SERVER_NAME} {
{$CADDY_EXTRA_CONFIG}
tls {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/caddy/certs/ca.pem
}
}
log
route {
root * /srv/app/public
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Allow anonymous subscribers (double-check that it's what you want)
anonymous
# Enable the subscription API (double-check that it's what you want)
subscriptions
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
vulcain
php_fastcgi unix//var/run/php/php-fpm.sock {
env SSL_CLIENT_S_FINGERPRINT {http.request.tls.client.fingerprint}
env SSL_CLIENT_S_CERTIFICATE {http.request.tls.client.certificate_der_base64}
env SSL_CLIENT_S_ISSUER {http.request.tls.client.issuer}
env SSL_CLIENT_S_SERIAL {http.request.tls.client.serial}
env SSL_CLIENT_S_DN {http.request.tls.client.subject}
}
encode zstd gzip
file_server
}
}
3. The problem Iâm having:
The client authentication works fine. The CA certificate chain is correctly loaded on server side and, with a valid client certificate, I am able to see the environment variables sent to the PHP application by Caddy.
However, I noted the value of the placeholder http.request.tls.client.subject
is not formatted as it should be (or at least as formatted by other applications such as NGNIX or Apache).
As an example, the result I have is as follows:
CN=john.doe,O=Spomky-Labs,L=Paris,ST=France,C=FR,1.2.840.113549.1.9.1=#0c126a6f686e2e646f65406d6574656f666f6e79
The emailAddress
field is missing, but its OID 1.2.840.113549.1.9.1
is present. The value #0c126a6f686e2e646f65406d6574656f666f6e79
is the actual email address I expect (john.doe@meteofony
)
I expect the subject string to be:
CN=john.doe,O=Spomky-Labs,L=Paris,ST=France,C=FR,emailAddress=john.doe@meteofony
4. Error messages and/or full log output:
No error messages
5. What I already tried:
I am not sure how to modify the subject placeholder
6. Links to relevant resources:
Nothing to share