envoyproxy/envoy

Add verify_client_certificate.

Open

#5,501 创建于 2019年1月6日

在 GitHub 查看
 (3 评论) (0 反应) (0 负责人)C++ (5,373 fork)batch import
area/tlshelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

From https://github.com/envoyproxy/envoy/pull/5207#issuecomment-447345279:

I think that we could simply add verify_client_certificate: true|check|false, where:

  • true would verify the client certificate and reject connection if the verification failed (what we have today),
  • check would verify the client certificate, but forward it and the verification status via x-forwarded-client-cert or another header (for easier matching), regardless of the verification status,
  • false would forward the client certificate to the backend via x-forwarded-client-cert without attempting to verify it (to avoid crypto operations, do access control at the backend, etc.).

贡献者指南