envoyproxy/envoy

Add verify_client_certificate.

Open

#5,501 建立於 2019年1月6日

在 GitHub 查看
 (3 留言) (0 反應) (0 負責人)C++ (5,373 fork)batch import
area/tlshelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

From https://github.com/envoyproxy/envoy/pull/5207#issuecomment-447345279:

I think that we could simply add verify_client_certificate: true|check|false, where:

  • true would verify the client certificate and reject connection if the verification failed (what we have today),
  • check would verify the client certificate, but forward it and the verification status via x-forwarded-client-cert or another header (for easier matching), regardless of the verification status,
  • false would forward the client certificate to the backend via x-forwarded-client-cert without attempting to verify it (to avoid crypto operations, do access control at the backend, etc.).

貢獻者指南