-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mTLS client certificate authenticating #467
Comments
It turned out mTLS is already supported (#281). HTTPServer enable mTLS by setting kind: HTTPServer
...
https: true
caCertBase64: "CA_CERT"
certs:
sub.domain.io: "SERVER_CERT_CRT"
keys:
sub.domain.io: "SERVER_CERT_KEY" However there's still room for improvement. Currently updating certificates requires deleting and re-creating HTTPServer, causing service downtime. Design draft - HTTPServer certificateStorageHere's an alternative proposal that synchronizes certifications from Easegress custom-data store. kind: HTTPServer
...
https: true
# following entry is new
certificateStorage:
prefix: "certificates/"
# caCertBase64, certs and keys are left empty Certificates can be stored to Easegress using echo '
rebuild: true
list:
- caCertBase64: 'CA_CERT'
certCrtBase64: 'SERVER_CERT_CRT'
certKeyBase64: 'SERVER_CERT_KEY'
' | egctl custom-data update certificates Another option is to add this certificateStorage feature to Design draft - AutoCertManager certificateStorageAutoCertManager needs to only know, where to look for certificates. kind: AutoCertManager
name: certificateStorage
certificateStorage:
prefix: "certificates/"
# everything else left empty And To avoid overloading this new feature to existing objects Design draft - CertSynchronizerThis controller synchronize the certificates from Easegress custom data. kind: CertSynchronizer
name: certSync
prefix: "certificates/" Again, certs are stored with same @localvar @suchen-sci @zouyingjie What do you think? Do we need certificate synchronization or is it sufficient to re-create HTTPServer every time certificates change? If we need certificate synchronizer, which one the drafts makes most sense for you? |
I prefer to update AutoCertManager to support both server & client certificates. And for the original requirement, like the HTTP basic auth validator, we also need to put the client id into the header of the request. |
Thanks for input @localvar ! So currently it's possible to secure communication between clients and Easegress using mTLS, using fixed certificates. Updating mTLS requires re-creating HTTPServer. I plan to support updating mTLS certificates (CA cert and domain specific certs) using Implementation details
kind: AutoCertManager
name: certificateStorage
certificateStorage:
prefix: "certificates/"
# everything else left empty
For
I don't know clean way for |
For
I think the And for
Please check https://github.com/haoel/mTLS/blob/e7044955900f2d9c00e9b33f024380522caa983b/server.go#L46 , we can get the client certs from the request, that's we get the CN from the client cert and add the client id (need to convert CN to client ID) to the header. Actually, the 2nd point is the major one for the original requirement (multi-tenant kafka), while the 1st one is nice to have. |
OK I see, let's support first parsing the client ID (or any information) from the client certificates. Let's leave updating certificates without re-creating HTTPServer (#467 (comment)) for later. Here's a draft config for a Filter kind: "CertSubjectExtractor"
name: "cn-extractor"
certIndex: -1 # n'th certificate; 0 for first, 1 for second, …, -2 for one before last, -1 for last
target: "subject" # subject or issuer
field: "CommonName" # country, province, orgranization.. etc
headerKey: "tls-subject-cn" # header key where to set extracted info |
Is your feature request related to a problem? Please describe.
In client-server communication, where client is browser or other user terminal, using HTTPS/TLS helps client to trust the server, as server certificate is authenticated by 3rd party. In some scenarios (IOT, microservices, etc) it might be important for server to ensure that client is not compromised. Authenticating client certificates would help server to trust the client.
Describe the solution you'd like
Create new Mutual TLS (mTLS) feature. When enabled, Easegress verifies that TLS certificates of the connecting client are signed by same CA certificates as Easegress certificates. Client will equally verify certificates of Easegress.
Describe alternatives you've considered
There's no alternative way for Easegress server to trust the client.
Additional context
The text was updated successfully, but these errors were encountered: