TLS: authentication with client cert

With NGINX I can require clients certificate and use info from it to e.g. set certain headers:

ssl_verify_client on;
proxy_set_header X-DN $ssl_client_s_dn;

So there are number of Embedded Variables in NGINX module (Module ngx_http_ssl_module).

With Caddy I can use

tls [cert key] {
    clients   [request|require|verify_if_given|] clientcas...

But the question: are there any {placeholders} for cert’s info ? (I couldn’t find it in the source but that can be because my lack of Go knowledge).

If there aren’t there … please give me a hint (a direction) what is the right way to extend caddytls (add new plugin ??) to support such placeholders.

Thanks in advance.

1 Like

Looks like here’s where the magic happens - I think you might need to submit a pull request if you want to add additional placeholders.

Placeholders get values from a request. TLS doesn’t know about HTTP, let alone requests. It doesn’t make much sense to add placeholders to the TLS directive.

The Caddyfile, though, does support the use of environment variables. (Edit: I see now that’s not quite what you’re looking for.)

Okay, so after looking at this again, you want a placeholder for use not in the tls directive but getting information from the TLS connection.

So yes, follow Matthew’s advice. :wink: That would be the place to add placeholder values.

Thanks, Matthew and Matt.
I saw that replacer function , but didn’t pay attention it gets all the info about request. Nice.
I’ll dig deeper how to use cert’s info here.

P. S. : Matthew , in the end I’ll do pull request (if anybody needs this feature at all). It’ll take some time as it is my “Hello World” in Go :wink:

1 Like

Hi SDen, have you finished and submitted the feature? It’s really a common feature in nginx to extract client certificate DN/CN and pass it to the upstream via http header.

No, not yet … At the current research phase I’m dealing with certs on low level (from http request). I’m not using Caddy (and Nginx) for SSL termination, it is done on the application level. And there is just proxy in front with dynamic service discovery (experiment with Traefik) as I have my API in several containers.

My researches went far beyond just SSL termination and auth on proxy side (initial motivation). So I postponed this idea for now.

Some new commits to Caddy use Go 1.8 and together that should make this more of a possibility; in fact, a placeholder was just implemented (on master branch) that pulls data directly from the TLS handshake. So that’s a start.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.