1. The problem I’m having:
I do not have a Caddyfile yet, I am investigating whether a scenario is possible. As such I will skip most of this template.
I want to know if it is possible to require different TLS client certificates for different paths of a single domain.
In a simple reverse_proxy with TLS client authentication I would do something like:
a.domain.com {
reverse_proxy /path/one 10.1.1.1:80
tls {
client_auth {
trusted_ca_cert_file /path/to/certificate.crt
}
}
}
Instead, how could I have two paths of the same domain that require two different certificates?
For example:
a.domain.com/path/one --- requires TLS client certificate one.crt
a.domain.com/path/two --- requires TLS client certificate two.crt
Both of these paths would reverse-proxy towards the same backend.
If I understand correctly, I need to have a single site block with different reverse_proxy directives, but I found no way of differentiating the client certificates.
The tls directive under the reverse_proxy directive is only relevant for the connection to the backend.
I am aware that this could be split into different subdomains. For other reasons it would be vastly easier if this solution can be achieved.
Is this possible to achieve? Can I maybe use some rewriting rules?
3. Caddy version:
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
4. How I installed and ran Caddy:
sudo apt install caddy
a. System environment:
Ubuntu 24.04.1 LTS Linux 6.8.0-79-generic #79-Ubuntu SMP PREEMPT_DYNAMIC x86_64