For Microgateway, I’m assuming that using the following config we can configure mutual TLS and require a client certificate for northbound calls for all MG proxies on the MG instance:
edgemicro:
ssl:
key: <absolute path to the SSL key file>
cert: <absolute path to the SSL cert file>
passphrase: admin123
rejectUnauthorized: true
requestCert: true
ca: <absolute path to the file containing a list of
trusted certificates in PEM format.>
However, it would be great if we could specify mutual TLS only for specific proxies like this!
proxies:
- edgemicro_proxy-1
ssl:
requestCert: true
ca: <absolute path to the file containing a list of
trusted certificates in PEM format.>
Technically this posting isn’t a question – so let’s make one out of it. is it possible to do it?
@Robert Johnson
I think this feature is not possible to implement. TLS negotiation happens much before proxies, basePaths. I suspect even http servers like nginx will force you to create different ports for mTLS vs. TLS.
I also ran into this issue. I came up with a couple of solutions:
- Option 1: You can spawn multiple EMG instances with different configuration files that include proxy filters and MTLS settings.
- Option 2: You can enable SNI in EMG by modifying a little bit the gateway source code. Exactly here. Your changes should look similar to this (also include requestCert and rejectUnauthorized flags). Then, you can create (or modify) a plugin so that it validates the incoming client CN and Host header and then “allows” the transaction depending on a configuration map (e.g. secured.domain.com>edgemicro_petstore_v1;safe_client_1,safe_client_2).
Option 2 resembles a little bit to vhosts on Edge. It’s not really advisable to modify the source code, however it was fun to play around with it.