SSL Mutual-Authentication


We are looking to migrating from Nginx to Caddy but we can’t found how to forward client SSL certificate information to the backend. The kind of authentication is a standard in bank or financial domains.

With Nginx, we can get information like

proxy_set_header X-ClientSSL-Status $ssl_client_verify;  //  “SUCCESS”, “FAILED:reason”, or “NONE”
proxy_set_header X-ClientSSL-DN $ssl_client_s_dn;  // The subject DN
proxy_set_header X-ClientSSL-Finger $ssl_client_fingerprint;  // The certificate fingerprint

How to pass same data to backend with Caddy ?


The short answer is that the data isn’t available through configuration, yet. Caddy would need to be modified in order to make it available.

Here’s the thread from the last time a similar question was raised:

Ok, is this modification was on your roadmap ? any ETA ? Currently, SSL Authentication seems useless if we can identify one client from other.


Yeah, this recently became possible with the release of Go 1.8; the unchecked item in is what you’re looking for.

It just requires some parameters added to the tls directive of the Caddyfile and then implementing that callback function mentioned in the issue. I think.

Feel free to contribute a pull request! Or I will get around to it eventually.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.