Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forward: feature to forward client certificate infos #68

Closed
wants to merge 1 commit into from
Closed

forward: feature to forward client certificate infos #68

wants to merge 1 commit into from

Conversation

zyclonite
Copy link

Added switch to enable forwading of client certificate CommonName and SerialNumber to origin via X-SSL- headers

enables the origin server to check the common name and/or serial number after the proxy validated/terminated the ssl connection

@pquerna
Copy link
Contributor

pquerna commented Apr 21, 2017
edited
Loading

I wonder if this should be controlled by a template string?

Apache and other webservers do it that way

So it would be something like the forwarder having a map[string]string, of Header names and header format strings, using text/template:

map[string]string{
   "X-SSL-Client-CN": "{{.Request.TLSInfo.Cert.ClientCN}}".
}

@zyclonite zyclonite mentioned this pull request May 23, 2017
Merged
@zyclonite
Copy link
Author

sounds like a good idea but i am quite new to golang so this could take me a while ...

@beejei
Copy link

beejei commented Jul 3, 2017

Please apply this feature to release. I'm looking forward this.

@jgiles
Copy link

jgiles commented Nov 13, 2017

We're also interested in extracting certificate info and adding it to the forwarded request headers.

@pquerna would the recommended approach be a generic header-addition mechanism of the sort supported by nginx, Apache, etc?

I like that idea, though especially for extracting certificate fields the structs might be complicated enough that extraction with template strings could be a pain (we have arrays, conditionally-present things, etc): https://golang.org/pkg/net/http/#Request

Do you have a sense of how much work that would be to add, and how one might get started?

@jbdoumenjou
Copy link
Contributor

Hi @zyclonite , this feature would be awesome!
IMHO, the simplest way to have a more complete solution would be an X-SSL-Client-Cert header.
In this way, the header with the client certificate contains all the necessary informations and you can keep the actual mechanism.
I did some tests and I would be very happy to help you if you wish.

@zyclonite
Copy link
Author

hi @jbdoumenjou,

i tried to have less complexity on the origin, simply trusting the oxy layer to offload the authentication and forwarding just some credentials would be ideal for my use-case. always forwarding the complete certificate is quite some payload to smaller requests
if in understood your approach correctly, this header is sent every request, disabling features that come already with tls, like e.g. session resumption (cert needs to be parsed on the origin every time to identify the user..)

@jbdoumenjou
Copy link
Contributor

Effectively, it is not exactly the same need. I was thinking about one more flag option to pass the certificate and so all the associated data. Indeed, it seems overkill just for one little information about the client certificate. :)

@juliens
Copy link
Contributor

juliens commented Nov 4, 2022

Considering the refactoring #229 this feature should implement as a middleware.

@juliens juliens closed this Nov 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@zyclonite @pquerna @beejei @jgiles @jbdoumenjou @juliens