This is a config created according to the post here that allows for basic auth to be used as a fallback when an mTLS client cert is not presented.
# This matcher checks for the presence of an mTLS client cert
(missing_mTLS_cert) {
@missing_mTLS_cert {
expression {tls_client_subject} == null
}
}
(admin_user) {
# user: test, pass: test
test JDJhJDEwJGdtd01Gc0ttWUJFaVZEY0hpMGIwTmVSb2lwalpSUFl1NnouT2VjeTZwOTZCNDRuWVA4Ti5h
}
(guest_user) {
# user: guest, pass: test
guest JDJhJDEwJGdtd01Gc0ttWUJFaVZEY0hpMGIwTmVSb2lwalpSUFl1NnouT2VjeTZwOTZCNDRuWVA4Ti5h
}
(private_auth) {
import missing_mTLS_cert
basicauth @missing_mTLS_cert {
import admin_user
}
}
(guest_auth) {
import missing_mTLS_cert
basicauth @missing_mTLS_cert {
import admin_user
import guest_user
}
}
# use this import if you want to always require mTLS certs to get in
(mTLS_required) {
tls {
client_auth {
mode require_and_verify
trusted_ca_cert_file /path/to/cert/cert.cer
}
}
}
# use this import if you want to be able to fallback to basic auth
(mTLS_optional) {
tls {
client_auth {
mode verify_if_given
trusted_ca_cert_file /path/to/cert/cert.cer
}
}
}
# this one has optional mTLS
example.com {
encode gzip
reverse_proxy localhost:9090
import mTLS_optional
import private_auth
}
# or try it with required mTLS
required.example.com {
encode gzip
reverse_proxy localhost:9091
import mTLS_required
}