SSL Mutual-Authentication

zero-x-baadf00d · April 28, 2017, 8:04am

Hello,

We are looking to migrating from Nginx to Caddy but we can’t found how to forward client SSL certificate information to the backend. The kind of authentication is a standard in bank or financial domains.

With Nginx, we can get information like

proxy_set_header X-ClientSSL-Status $ssl_client_verify;  //  “SUCCESS”, “FAILED:reason”, or “NONE”
proxy_set_header X-ClientSSL-DN $ssl_client_s_dn;  // The subject DN
proxy_set_header X-ClientSSL-Finger $ssl_client_fingerprint;  // The certificate fingerprint

How to pass same data to backend with Caddy ?

Thanks

Whitestrake · April 28, 2017, 9:58am

The short answer is that the data isn’t available through configuration, yet. Caddy would need to be modified in order to make it available.

Here’s the thread from the last time a similar question was raised:

zero-x-baadf00d · April 28, 2017, 11:33am

Ok, is this modification was on your roadmap ? any ETA ? Currently, SSL Authentication seems useless if we can identify one client from other.

Thanks

matt · April 28, 2017, 2:25pm

Yeah, this recently became possible with the release of Go 1.8; the unchecked item in https://github.com/mholt/caddy/issues/1375 is what you’re looking for.

It just requires some parameters added to the tls directive of the Caddyfile and then implementing that callback function mentioned in the issue. I think.

Feel free to contribute a pull request! Or I will get around to it eventually.

system · July 27, 2017, 2:40pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.