Question about tls client_auth specific user / cert and logging

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

I run caddy as docker swarm reverse proxy: GitHub - lucaslorentz/caddy-docker-proxy: Caddy as a reverse proxy for Docker

a. System environment:

RancherOS v1.5.6, Docker CE 19.03.5, lucaslorentz/caddy-docker-proxy:2.3.0

b. Command:

I use caddy as docker swarm reverse proxy and it works fine!
Now I tested tls client_auth and it works too. I used an existing eToken and configured tls client auth.

caddy.tls.client_auth.mode: "require"
caddy.tls.client_auth.trusted_ca_cert_file: "/data/nwe/nwe-ca.cert"

Generated caddy config:

tls {
                client_auth {
                       mode require
                       trusted_ca_cert_file /data/nwe/nwe-ca.cert

3. The problem I’m having:

If tls client auth fails (for example can’t be verified), there is a log entry, but in mode “require” (without verify) tls client auth is successful, but not logged?

  1. Is it possible to require a specified client / user certificate instead of just any client certificate?
  2. How to add the used client certificate to caddy log and http headers?

Yeah I think you want trusted_leaf_cert instead?

I think you can use the header directive with any of the http.request.tls.client. placeholders below:

Hi @francislavoie,
thanks for your answer and the hint about trusted_leaf_cert. I think I just need to add the specific client (leaf) certificate to have a chain from client cert to the ca.

My first idea was to use the client certificate subject name to filter allowed users after the client certificate is verified against trusted_ca_cert. But use the client cert by leaf directive should be fine.

So I should be able to use {http.request.tls.client.subject} to add a header, but is it possible to write the incoming client certificate (subject name?) to the caddy log? With caddy v1 I used a custom log format with placeholders, but haven’t found custom log format examples with placeholders for caddy v2?

Log directive

This topic was automatically closed after 30 days. New replies are no longer allowed.