Setting up http(s) proxy with mutual authentication

Hi there,

I am trying to setup a proxy to a (Java based) https service that requires mutual authentication of the client connected to it. I have generated the certificates and signed with a CA (self signed though) and followed the procedures to setup the keystores and trustores required by the java server process.

Doing a request using curl in the command line, gives back a successfully response:

curl -k --cert client-cloud.certificate.pem --key client-cloud.key https:/java-server-process:8081
{"success":"true"}

Now I am trying to wire this service using a web page that is served with Caddy. Here is an except of Cockpit configuration:

0.0.0.0:3030
tls  client-cloud.certificate.pem client-cloud.key
log stdout
errors stdout

root /var/www

proxy /api https://java-server-process:8081 {
      without /api
      insecure_skip_verify
}

Unfortunately, when trying to access the /api endpoint, Caddy responses back with http error: 502

In essence, what Is the proper way to implement mutual authentication to a proxied https service?

I am newcomer to SSL mutual authentication and possible missing something, so I will be grateful if someone helps shed some light on it.

Regards,
-Christos

Looking over the documentation, it doesn’t appear that the proxy middleware can be configured to present a client certificate for authentication. The tls directive sets the server certificates, unfortunately for your use case.

Unless I’m mistaken, I reckon it would make a great feature request if you wouldn’t mind putting up an issue at https://github.com/mholt/caddy/issues.

Thank you @Whitestrake for clarifying this, I will go ahead and open an issue on GH.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.