Question about tls client_auth specific user / cert and logging

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

I run caddy as docker swarm reverse proxy:

a. System environment:

RancherOS v1.5.6, Docker CE 19.03.5, lucaslorentz/caddy-docker-proxy:2.3.0

b. Command:

I use caddy as docker swarm reverse proxy and it works fine!
Now I tested tls client_auth and it works too. I used an existing eToken and configured tls client auth.

caddy.tls.client_auth.mode: "require"
caddy.tls.client_auth.trusted_ca_cert_file: "/data/nwe/nwe-ca.cert"

Generated caddy config:

tls {
                client_auth {
                       mode require
                       trusted_ca_cert_file /data/nwe/nwe-ca.cert

3. The problem I’m having:

If tls client auth fails (for example can’t be verified), there is a log entry, but in mode “require” (without verify) tls client auth is successful, but not logged?

  1. Is it possible to require a specified client / user certificate instead of just any client certificate?
  2. How to add the used client certificate to caddy log and http headers?

Yeah I think you want trusted_leaf_cert instead?

I think you can use the header directive with any of the http.request.tls.client. placeholders below:

Hi @francislavoie,
thanks for your answer and the hint about trusted_leaf_cert. I think I just need to add the specific client (leaf) certificate to have a chain from client cert to the ca.

My first idea was to use the client certificate subject name to filter allowed users after the client certificate is verified against trusted_ca_cert. But use the client cert by leaf directive should be fine.

So I should be able to use {http.request.tls.client.subject} to add a header, but is it possible to write the incoming client certificate (subject name?) to the caddy log? With caddy v1 I used a custom log format with placeholders, but haven’t found custom log format examples with placeholders for caddy v2?

Log directive