I’m trying to use optional client authentication for a site and would like to allow only some paths for unauthenticated clients while allowing all for mtls-authenticated clients.
A very similar issue was discussed in #8949 “Identify TLS client authentication”, with a comprehensive list of matchers that can be used.
The problem I’m having is that all these matchers are pre-validation as far as I can see.
Maybe I missed some documentation, but I don’t see any way to meaningfully use the “verify_if_given” option in tls > client_auth > mode, if there is no way to check if a certificate was validated.
I was thinking about it since I saw it a few days ago. I think I have a working solution using the vars_regexp matcher.
Can you make use of this?
example.com {
tls {
client_auth {
mode verify_if_given
trust_pool file root.pem
}
}
# ensure at least 1 character is present in fingerprint to indicate mTLS
# was provided, hence sucessful if reached this far.
@authed vars_regexp {http.request.tls.client.fingerprint} ^([0-9a-zA-Z]{1,})
@notauthed not vars_regexp {http.request.tls.client.fingerprint} ^([0-9a-zA-Z]{1,})
# use the matchers accordingly, preferable with `handle` to ensure mutually-exclusive handling
# ...
}