Skip to content

mTLS on wildcard also enables mTLS on specific subdomain #7860

Description

@TheStaticTurtle

Issue Details

Hi,

I'm trying to set up mTLS on *.example.com while keeping public.example.com without mTLS.

My config looks like this:

(wildcard_proxy) {
	tls {
		on_demand
		issuer internal
		
		{blocks.tls}
	}
	route {
		reverse_proxy {
			to {args.0}
		}
	}
}

public.example.com {
	import wildcard_proxy https://10.10.15.50 {
		tls {
		}
	}
}

*.example.com {
	import wildcard_proxy https://10.10.15.50 {
		tls {
			client_auth {
				mode require_and_verify
				trust_pool file {
					pem_file /etc/caddy/ca/root_ca_infra.crt
				}
			}
		}
	}
}

As expected, accessing private.example.com does request the client certificate; however, so does public.example.com.
Looking at the adapted json it's clear why, there's nothing about the public domain so it matches to the wildcard:

"tls_connection_policies": [
	{
        "match": {
            "sni": [
                "*.example.com"
            ]
        },
        "client_authentication": {
            "ca": {
                "pem_files": [
                    "/etc/caddy/ca/root_ca_infra.crt"
                ],
                "provider": "file"
            },
            "mode": "require_and_verify"
        }
    },
    {}
]

The current "fix" I found is to also add mTLS on public.example.com but with mode request.
This add a new policy before the wildcard which I guess matches first and doesn't block the request:

"tls_connection_policies": [
	{
        "match": {
            "sni": [
                "public.example.com"
            ]
        },
        "client_authentication": {
            "ca": {
                "pem_files": [
                    "/etc/caddy/ca/root_ca_infra.crt"
                ],
                "provider": "file"
            },
            "mode": "request"
        }
    },
	{
        "match": {
            "sni": [
                "*.example.com"
            ]
        },
        "client_authentication": {
            "ca": {
                "pem_files": [
                    "/etc/caddy/ca/root_ca_infra.crt"
                ],
                "provider": "file"
            },
            "mode": "require_and_verify"
        }
    },
    {}
]

Is this a bug? Intended behavior? Or am I missing something?

Thanks,

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐞Something isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions