envoyproxy/envoy

Add verify_client_certificate.

Open

#5,501 opened on 2019年1月6日

GitHub で見る
 (3 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/tlshelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (平均マージ 8d) (30d で 378 merged PRs)

説明

From https://github.com/envoyproxy/envoy/pull/5207#issuecomment-447345279:

I think that we could simply add verify_client_certificate: true|check|false, where:

  • true would verify the client certificate and reject connection if the verification failed (what we have today),
  • check would verify the client certificate, but forward it and the verification status via x-forwarded-client-cert or another header (for easier matching), regardless of the verification status,
  • false would forward the client certificate to the backend via x-forwarded-client-cert without attempting to verify it (to avoid crypto operations, do access control at the backend, etc.).

コントリビューターガイド