support mTLS for authentication

README.md

@@ -304,6 +304,21 @@ $ docker run -v /path/to/cache/dir:/data \
 	--htpasswd_file /etc/bazel-remote/htpasswd --max_size=5
 ```
 
+You can also enforce authentication with client certificates by passing in a `tls_ca_file`:
+
+```bash
+$ docker run -v /path/to/cache/dir:/data \
+   -v /path/to/certificate_authority:/etc/bazel-remote/ca_cert \
+	-v /path/to/server_cert:/etc/bazel-remote/server_cert \
+	-v /path/to/server_key:/etc/bazel-remote/server_key \
+	-p 9090:8080 -p 9092:9092 buchgr/bazel-remote-cache \
+	--tls_enabled=true \
+   --tls_ca_file=/etc/bazel-remote/ca_cert \
+	--tls_cert_file=/etc/bazel-remote/server_cert \
+	--tls_key_file=/etc/bazel-remote/server_key \
+   --max_size=5
+```
+
 ### Profiling
 
 To enable pprof profiling, specify a port with `--profile_port`.

config/config.go

@@ -45,6 +45,7 @@ type Config struct {
 	Dir                         string                    `yaml:"dir"`
 	MaxSize                     int                       `yaml:"max_size"`
 	HtpasswdFile                string                    `yaml:"htpasswd_file"`
+	TLSCaFile                   string                    `yaml:"tls_ca_file"`
 	TLSCertFile                 string                    `yaml:"tls_cert_file"`
 	TLSKeyFile                  string                    `yaml:"tls_key_file"`
 	S3CloudStorage              *S3CloudStorageConfig     `yaml:"s3_proxy,omitempty"`
@@ -69,6 +70,7 @@ func New(dir string, maxSize int, host string, port int, grpcPort int,
 	htpasswdFile string,
 	maxQueuedUploads int,
 	numUploaders int,
+	tlsCaFile string,
 	tlsCertFile string,
 	tlsKeyFile string,
 	idleTimeout time.Duration,
@@ -91,6 +93,7 @@ func New(dir string, maxSize int, host string, port int, grpcPort int,
 		HtpasswdFile:                htpasswdFile,
 		MaxQueuedUploads:            maxQueuedUploads,
 		NumUploaders:                numUploaders,
+		TLSCaFile:                   tlsCaFile,
 		TLSCertFile:                 tlsCertFile,
 		TLSKeyFile:                  tlsKeyFile,
 		S3CloudStorage:              s3,
@@ -176,6 +179,11 @@ func validateConfig(c *Config) error {
 			"'tls_key_file' and 'tls_cert_file'")
 	}
 
+	if c.TLSCaFile != "" && (c.TLSCertFile == "" || c.TLSKeyFile == "") {
+		return errors.New("When enabling mTLS one must specify a: 'tls_ca_file' " +
+			"as well as 'tls_cert_file', and 'tls_key_file'")
+	}
+
 	if c.GoogleCloudStorage != nil && c.HTTPBackend != nil && c.S3CloudStorage != nil {
 		return errors.New("One can specify at most one proxying backend")
 	}

main.go

@@ -2,7 +2,10 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
 	_ "net/http/pprof" // Register pprof handlers with DefaultServeMux.
@@ -139,6 +142,12 @@ func main() {
 			Usage:   "This flag has been deprecated. Specify tls_cert_file and tls_key_file instead.",
 			EnvVars: []string{"BAZEL_REMOTE_TLS_ENABLED"},
 		},
+		&cli.StringFlag{
+			Name:    "tls_ca_file",
+			Value:   "",
+			Usage:   "Path to a pem encoded certificate authority file.",
+			EnvVars: []string{"BAZEL_REMOTE_TLS_CA_FILE"},
+		},
 		&cli.StringFlag{
 			Name:    "tls_cert_file",
 			Value:   "",
@@ -289,6 +298,7 @@ func main() {
 				ctx.String("htpasswd_file"),
 				ctx.Int("max_queued_uploads"),
 				ctx.Int("num_uploaders"),
+				ctx.String("tls_ca_file"),
 				ctx.String("tls_cert_file"),
 				ctx.String("tls_key_file"),
 				ctx.Duration("idle_timeout"),
@@ -349,11 +359,53 @@ func main() {
 
 		diskCache := disk.New(c.Dir, int64(c.MaxSize)*1024*1024*1024, proxyCache)
 
+		var tlsConfig *tls.Config
+		if len(c.TLSCaFile) != 0 {
+			caCertPool := x509.NewCertPool()
+			caCert, err := ioutil.ReadFile(c.TLSCaFile)
+			if err != nil {
+				log.Fatalf("Error reading TLS CA File: %v", err)
+			}
+			added := caCertPool.AppendCertsFromPEM(caCert)
+			if !added {
+				log.Fatalf("Failed to add certificate to cert pool.")
+			}
+
+			readCert, err := tls.LoadX509KeyPair(
+				c.TLSCertFile,
+				c.TLSKeyFile,
+			)
+			if err != nil {
+				log.Fatalf("Error reading certificate/key pair: %v", err)
+			}
+
+			tlsConfig = &tls.Config{
+				Certificates: []tls.Certificate{readCert},
+				ClientCAs:    caCertPool,
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+			}
+		} else if len(c.TLSCertFile) != 0 && len(c.TLSKeyFile) != 0 {
+			readCert, err := tls.LoadX509KeyPair(
+				c.TLSCertFile,
+				c.TLSKeyFile,
+			)
+			if err != nil {
+				log.Fatalf("Error reading certificate/key pair: %v", err)
+			}
+
+			tlsConfig = &tls.Config{
+				Certificates: []tls.Certificate{readCert},
+			}
+		} else {
+			tlsConfig = nil
+		}
+
 		mux := http.NewServeMux()
 		httpServer := &http.Server{
 			Addr:         c.Host + ":" + strconv.Itoa(c.Port),
 			Handler:      mux,
 			ReadTimeout:  c.HTTPReadTimeout,
+			TLSConfig:    tlsConfig,
 			WriteTimeout: c.HTTPWriteTimeout,
 		}
 
@@ -414,13 +466,8 @@ func main() {
 					grpc_prometheus.EnableHandlingTimeHistogram(grpc_prometheus.WithHistogramBuckets(durationBuckets))
 				}
 
-				if len(c.TLSCertFile) > 0 && len(c.TLSKeyFile) > 0 {
-					creds, err2 := credentials.NewServerTLSFromFile(
-						c.TLSCertFile, c.TLSKeyFile)
-					if err2 != nil {
-						log.Fatal(err2)
-					}
-					opts = append(opts, grpc.Creds(creds))
+				if tlsConfig != nil {
+					opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
 				}
 
 				if htpasswdSecrets != nil {