Is there a way to add a exception for mTLS?

darin755 · February 10, 2026, 8:16pm

Here is my current config:

(mtls) {
        tls {
                client_auth {
                        trust_pool file /etc/caddy/darincrt.pem
                }

        }
}

What I would like to do is add a exception for a range of IP addresses. Right now mTLS auth is required from all sources which isn’t ideal.

timelordx · February 11, 2026, 12:37am

Just spitballing:

(mtls) {
        tls {
                client_auth {
                        mode verify_if_given
                        trust_pool file /etc/caddy/darincrt.pem
                }

        }
}

Then create a named matcher, for example:

@block_access {
    not vars_regexp {http.request.tls.client.issuer} ^.+$
    not remote_ip ALLOWED_IP_ADDRESSES
}

handle @block_access {
    respond 403
}

timelordx · February 11, 2026, 7:23am

I just tested this and it works as expected:

If the client presents a certificate, it has to pass validation.
If the client doesn’t present a certificate, then its IP address is checked instead.

darin755 · February 13, 2026, 10:17pm

Is there a way to do this in pure layer 4? (as in during the TLS handshake)

timelordx · February 14, 2026, 7:57am

You can use abort instead of respond 403.