feat: SSL client certificate validation #2592
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e520300 to
f3d1c9b
Compare
f3d1c9b to
6443ee2
Compare
6443ee2 to
94fe047
Compare
94fe047 to
054a64e
Compare
@SchoNie I do 👍 |
054a64e to
5ade728
Compare
5ade728 to
5e77e29
Compare
buchdag
reviewed
Jun 7, 2025
buchdag
approved these changes
Jun 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for the
ssl_client_certificate,ssl_verify_client optionalandssl_crldirectives. It was requested and discussed multiple times over the years and I wanted to experiment with mTLS in my setup so I continued and combined the existing PR's enabling verification of client side certificates (mutual TLS) based on if a CA file exists.A Certificate Revocation List (CRL) can be used.
Optional ssl_verify_client can be activated by using the
com.github.nginx-proxy.nginx-proxy.ssl_verify_client: "optional"label. This does not block access but instead stores the result in the $ssl_client_verify variable which gives user control which paths are controlled.Tests for all kind of mTLS scenarios. (10 year expiry cert)
Resolves #137, Resolves #278, Resolves #1027, Resolves #1046, Resolves #1197, Resolves #1584, Resolves #1644,
Discussed in: #2568
If you think this is something interesting to be merged I will add docs and write a wiki page how to generate all the client certificates. Please let me know.