Issue Details
Hi,
I'm trying to set up mTLS on *.example.com while keeping public.example.com without mTLS.
My config looks like this:
(wildcard_proxy) {
tls {
on_demand
issuer internal
{blocks.tls}
}
route {
reverse_proxy {
to {args.0}
}
}
}
public.example.com {
import wildcard_proxy https://10.10.15.50 {
tls {
}
}
}
*.example.com {
import wildcard_proxy https://10.10.15.50 {
tls {
client_auth {
mode require_and_verify
trust_pool file {
pem_file /etc/caddy/ca/root_ca_infra.crt
}
}
}
}
}
As expected, accessing private.example.com does request the client certificate; however, so does public.example.com.
Looking at the adapted json it's clear why, there's nothing about the public domain so it matches to the wildcard:
"tls_connection_policies": [
{
"match": {
"sni": [
"*.example.com"
]
},
"client_authentication": {
"ca": {
"pem_files": [
"/etc/caddy/ca/root_ca_infra.crt"
],
"provider": "file"
},
"mode": "require_and_verify"
}
},
{}
]
The current "fix" I found is to also add mTLS on public.example.com but with mode request.
This add a new policy before the wildcard which I guess matches first and doesn't block the request:
"tls_connection_policies": [
{
"match": {
"sni": [
"public.example.com"
]
},
"client_authentication": {
"ca": {
"pem_files": [
"/etc/caddy/ca/root_ca_infra.crt"
],
"provider": "file"
},
"mode": "request"
}
},
{
"match": {
"sni": [
"*.example.com"
]
},
"client_authentication": {
"ca": {
"pem_files": [
"/etc/caddy/ca/root_ca_infra.crt"
],
"provider": "file"
},
"mode": "require_and_verify"
}
},
{}
]
Is this a bug? Intended behavior? Or am I missing something?
Thanks,
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response
Issue Details
Hi,
I'm trying to set up mTLS on
*.example.comwhile keepingpublic.example.comwithout mTLS.My config looks like this:
(wildcard_proxy) { tls { on_demand issuer internal {blocks.tls} } route { reverse_proxy { to {args.0} } } } public.example.com { import wildcard_proxy https://10.10.15.50 { tls { } } } *.example.com { import wildcard_proxy https://10.10.15.50 { tls { client_auth { mode require_and_verify trust_pool file { pem_file /etc/caddy/ca/root_ca_infra.crt } } } } }As expected, accessing
private.example.comdoes request the client certificate; however, so doespublic.example.com.Looking at the adapted json it's clear why, there's nothing about the public domain so it matches to the wildcard:
The current "fix" I found is to also add mTLS on
public.example.combut with moderequest.This add a new policy before the wildcard which I guess matches first and doesn't block the request:
Is this a bug? Intended behavior? Or am I missing something?
Thanks,
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response