envoyproxy/envoy

Add verify_client_certificate.

Open

#5501 aperta il 6 gen 2019

Vedi su GitHub
 (3 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/tlshelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

From https://github.com/envoyproxy/envoy/pull/5207#issuecomment-447345279:

I think that we could simply add verify_client_certificate: true|check|false, where:

  • true would verify the client certificate and reject connection if the verification failed (what we have today),
  • check would verify the client certificate, but forward it and the verification status via x-forwarded-client-cert or another header (for easier matching), regardless of the verification status,
  • false would forward the client certificate to the backend via x-forwarded-client-cert without attempting to verify it (to avoid crypto operations, do access control at the backend, etc.).

Guida contributor