Example: mTLS with Basic Auth fallback

This is a config created according to the post here that allows for basic auth to be used as a fallback when an mTLS client cert is not presented.

# This matcher checks for the presence of an mTLS client cert
(missing_mTLS_cert) {
    @missing_mTLS_cert {
        expression {tls_client_subject} == null
    }
}

(admin_user) {
    # user: test, pass: test
    test JDJhJDEwJGdtd01Gc0ttWUJFaVZEY0hpMGIwTmVSb2lwalpSUFl1NnouT2VjeTZwOTZCNDRuWVA4Ti5h
}

(guest_user) {
    # user: guest, pass: test
    guest JDJhJDEwJGdtd01Gc0ttWUJFaVZEY0hpMGIwTmVSb2lwalpSUFl1NnouT2VjeTZwOTZCNDRuWVA4Ti5h
}

(private_auth) {
    import missing_mTLS_cert
    basicauth @missing_mTLS_cert {
        import admin_user
    }
}

(guest_auth) {
    import missing_mTLS_cert
    basicauth @missing_mTLS_cert {
        import admin_user
        import guest_user
    }
}

# use this import if you want to always require mTLS certs to get in
(mTLS_required) {
    tls {
        client_auth {
            mode require_and_verify
            trusted_ca_cert_file /path/to/cert/cert.cer
        }
    }
}

# use this import if you want to be able to fallback to basic auth
(mTLS_optional) {
    tls {
        client_auth {
            mode verify_if_given
            trusted_ca_cert_file /path/to/cert/cert.cer
        }
    }
}

# this one has optional mTLS
example.com {
    encode gzip
    reverse_proxy localhost:9090
    import mTLS_optional
    import private_auth
}

# or try it with required mTLS

required.example.com {
    encode gzip
    reverse_proxy localhost:9091
    import mTLS_required
}
3 Likes