From 265e5e50d7b3a08cf70d153188375497187affec Mon Sep 17 00:00:00 2001
From: Cynthia <cynthia@coan.dev>
Date: Tue, 6 Oct 2020 09:10:50 -0600
Subject: [PATCH] fix review

---
 README.md        | 20 ++++++++++----------
 config/config.go |  5 +++--
 main.go          |  4 +---
 3 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 2905b58cf..5ff20ddc1 100644
--- a/README.md
+++ b/README.md
@@ -297,19 +297,19 @@ $ docker run -v /path/to/cache/dir:/data \
 	--htpasswd_file /etc/bazel-remote/htpasswd --max_size=5
 ```
 
-You can also enforce authentication with client certificates by passing in a `tls_ca_file`:
+If you prefer not using `.htpasswd` files it is also possible to authenticate with mTLS (also can be known as "authenticating client certificates"). You can do this by passing in the the cert/key the server should use, as well as the certificate authority that signed the client certificates:
 
 ```bash
 $ docker run -v /path/to/cache/dir:/data \
-   -v /path/to/certificate_authority:/etc/bazel-remote/ca_cert \
-	-v /path/to/server_cert:/etc/bazel-remote/server_cert \
-	-v /path/to/server_key:/etc/bazel-remote/server_key \
-	-p 9090:8080 -p 9092:9092 buchgr/bazel-remote-cache \
-	--tls_enabled=true \
-   --tls_ca_file=/etc/bazel-remote/ca_cert \
-	--tls_cert_file=/etc/bazel-remote/server_cert \
-	--tls_key_file=/etc/bazel-remote/server_key \
-   --max_size=5
+  -v /path/to/certificate_authority:/etc/bazel-remote/ca_cert \
+  -v /path/to/server_cert:/etc/bazel-remote/server_cert \
+  -v /path/to/server_key:/etc/bazel-remote/server_key \
+  -p 9090:8080 -p 9092:9092 buchgr/bazel-remote-cache \
+  --tls_enabled=true \
+  --tls_ca_file=/etc/bazel-remote/ca_cert \
+  --tls_cert_file=/etc/bazel-remote/server_cert \
+  --tls_key_file=/etc/bazel-remote/server_key \
+  --max_size=5
 ```
 
 ### Profiling
diff --git a/config/config.go b/config/config.go
index fe8ac4024..781328e3a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -169,8 +169,9 @@ func validateConfig(c *Config) error {
 	}
 
 	if c.TLSCaFile != "" && (c.TLSCertFile == "" || c.TLSKeyFile == "") {
-		return errors.New("When enabling mTLS one must specify a: 'tls_ca_file' " +
-			"as well as 'tls_cert_file', and 'tls_key_file'")
+		return errors.New("When enabling mTLS (authenticating client " +
+			"certificates) the server must have it's own 'tls_key_file' " +
+			"and 'tls_cert_file' specified.")
 	}
 
 	if c.GoogleCloudStorage != nil && c.HTTPBackend != nil && c.S3CloudStorage != nil {
diff --git a/main.go b/main.go
index c802bd2c2..255e3899d 100644
--- a/main.go
+++ b/main.go
@@ -145,7 +145,7 @@ func main() {
 		&cli.StringFlag{
 			Name:    "tls_ca_file",
 			Value:   "",
-			Usage:   "Path to a pem encoded certificate authority file.",
+			Usage:   "Optional. Enables mTLS (authenticating client certificates), should be the certificate authority that signed the client certificates.",
 			EnvVars: []string{"BAZEL_REMOTE_TLS_CA_FILE"},
 		},
 		&cli.StringFlag{
@@ -382,8 +382,6 @@ func main() {
 			tlsConfig = &tls.Config{
 				Certificates: []tls.Certificate{readCert},
 			}
-		} else {
-			tlsConfig = nil
 		}
 
 		mux := http.NewServeMux()