Skip to content

Commit

Permalink
skipper: add TLS client authentication config
Browse files Browse the repository at this point in the history
Add an option and a flag to configure TLS Client Authentication
policy of the Server.

Fixes #3280

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
  • Loading branch information
AlexanderYastrebov committed Oct 21, 2024
1 parent 03c4af4 commit 37aa1f8
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
22 changes: 21 additions & 1 deletion config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,8 @@ type Config struct {
Certificates []tls.Certificate `yaml:"-"`

// TLS version
TLSMinVersion string `yaml:"tls-min-version"`
TLSMinVersion string `yaml:"tls-min-version"`
TLSClientAuth tls.ClientAuthType `yaml:"tls-client-auth"`

// Exclude insecure cipher suites
ExcludeInsecureCipherSuites bool `yaml:"exclude-insecure-cipher-suites"`
Expand Down Expand Up @@ -523,6 +524,9 @@ func NewConfig() *Config {

// TLS version
flag.StringVar(&cfg.TLSMinVersion, "tls-min-version", defaultMinTLSVersion, "minimal TLS Version to be used in server, proxy and client connections")
flag.Func("tls-client-auth", "TLS client authentication policy for server, one of: "+
"NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven or RequireAndVerifyClientCert. "+
"See https://pkg.go.dev/crypto/tls#ClientAuthType for details.", cfg.setTLSClientAuth)

// Exclude insecure cipher suites
flag.BoolVar(&cfg.ExcludeInsecureCipherSuites, "exclude-insecure-cipher-suites", false, "excludes insecure cipher suites")
Expand Down Expand Up @@ -727,6 +731,7 @@ func (c *Config) ToOptions() skipper.Options {
DebugListener: c.DebugListener,
CertPathTLS: c.CertPathTLS,
KeyPathTLS: c.KeyPathTLS,
TLSClientAuth: c.TLSClientAuth,
CipherSuites: c.filterCipherSuites(),
MaxLoopbacks: c.MaxLoopbacks,
DefaultHTTPStatus: c.DefaultHTTPStatus,
Expand Down Expand Up @@ -1047,6 +1052,21 @@ func (c *Config) getMinTLSVersion() uint16 {
return tlsVersionTable[defaultMinTLSVersion]
}

func (c *Config) setTLSClientAuth(s string) error {
var ok bool
c.TLSClientAuth, ok = map[string]tls.ClientAuthType{
"NoClientCert": tls.NoClientCert,
"RequestClientCert": tls.RequestClientCert,
"RequireAnyClientCert": tls.RequireAnyClientCert,
"VerifyClientCertIfGiven": tls.VerifyClientCertIfGiven,
"RequireAndVerifyClientCert": tls.RequireAndVerifyClientCert,
}[s]
if !ok {
return fmt.Errorf("unsupported TLS client authentication type")
}
return nil
}

func (c *Config) filterCipherSuites() []uint16 {
if !c.ExcludeInsecureCipherSuites {
return nil
Expand Down
5 changes: 5 additions & 0 deletions skipper.go
Original file line number Diff line number Diff line change
Expand Up @@ -617,6 +617,10 @@ type Options struct {
// multiple keys, the order must match the one given in CertPathTLS
KeyPathTLS string

// TLSClientAuth sets the policy the server will follow for
// TLS Client Authentication, see [tls.ClientAuthType]
TLSClientAuth tls.ClientAuthType

// TLS Settings for Proxy Server
ProxyTLS *tls.Config

Expand Down Expand Up @@ -1198,6 +1202,7 @@ func (o *Options) tlsConfig(cr *certregistry.CertRegistry) (*tls.Config, error)

config := &tls.Config{
MinVersion: o.TLSMinVersion,
ClientAuth: o.TLSClientAuth,
}

if o.CipherSuites != nil {
Expand Down

0 comments on commit 37aa1f8

Please sign in to comment.