Merge branch 'release/v1.29.4-2'

Author: ppxl

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.29.4-2] - 2026-01-19
+### Added
+- [#134] support mutual TLS with client certificates 
+
 ## [v1.29.4-1] - 2025-12-16
 ### Changed
 - [#132] Upgrade nginx to v1.29.4

Dockerfile

@@ -2,7 +2,7 @@ FROM node:lts-alpine as templating
 
 ENV WORKDIR=/template \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.29.4-1"
+    VERSION="1.29.4-2"
 
 RUN mkdir -p ${WORKDIR}
 WORKDIR ${WORKDIR}
@@ -68,11 +68,11 @@ RUN wget --progress=bar:force:noscroll -O /tmp/warp.zip https://github.com/cloud
 FROM registry.cloudogu.com/official/base:3.22.0-5
 LABEL maintainer="hello@cloudogu.com" \
       NAME="official/nginx" \
-      VERSION="1.29.4-1"
+      VERSION="1.29.4-2"
 
 ENV CES_MAINTENANCE_MODE=false \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.29.4-1"
+    VERSION="1.29.4-2"
 
 RUN set -x -o errexit \
  && set -o nounset \

docs/dev/client-certificates_de.md

@@ -0,0 +1,82 @@
+# Mutual TLS mit Client Zertifikaten
+
+Das Nginx-Dogu unterstützt die Authentifizierung von Clients mittels Zertifikaten (Mutual TLS). Wenn diese Funktion aktiviert
+ist, fordert Nginx beim TLS-Handshake ein Zertifikat vom Client an und validiert dieses gegen eine hinterlegte
+Certificate Authority (CA).
+
+## Konfiguration
+
+Die Konfiguration erfolgt über die Dogu-Konfiguration `mutual_tls/enabled`.
+
+> [!IMPORTANT]  
+> Damit die Authentifizierung mit Client-Zertifikaten funktioniert, muss Split-DNS konfiguriert sein.
+> Siehe [Split-DNS](#split-dns)
+
+### 1. CA Zertifikat hinterlegen
+
+Damit Nginx die Client-Zertifikate validieren kann, muss das öffentliche Zertifikat der CA global im CES bekannt sein.
+Das CA-Zertifikat muss im PEM-Format in der globalen Konfiguration gespeichert werden:
+
+```bash
+cat client-ca.crt | etcdctl set /config/_global/certificate/client-ca.crt
+```
+
+> Hinweis: Ein CA-Zertifikat kann z.B. so erzeugt werden:
+> 1. Key erzeugen: `openssl genrsa -out client-ca.key 4096`
+> 2. Zerifikat erstellen: ` openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 3650 -out client-ca.crt -subj "/C=DE/O=MyOrg/CN=MyOrg Client Root CA`
+
+### 2. Authentifizierung aktivieren
+
+Die Client-Authentifizierung ist standardmäßig deaktiviert. Sie über die Dogu-Config des nginx aktiviert werden:
+
+```bash
+etcdctl set /config/nginx/mutual_tls/enabled true
+```
+
+Nach der Änderung muss das Nginx-Dogu neu gestartet werden, damit das CA-Zertifikat aus der Registry geladen und die
+Konfiguration neu generiert wird.
+
+## Funktionsweise
+
+Sobald `mutual_tls/enabled` auf `true` gesetzt ist:
+
+1. Extrahiert das `startup.sh` Skript das CA-Zertifikat aus der globalen Registry nach `/etc/ssl/client-ca.crt`.
+2. Aktiviert die `ssl.conf` die Nginx-Direktiven `ssl_client_certificate` und `ssl_verify_client on`.
+
+### Ausnahme für interne Dogu-Requests
+Damit Dogus auch ohne Client-Zertifikat Requests an andere Dogus stellen können (z.B. zur Validierung der CAS-Session),
+wird in der `nginx.conf` eine Ausnahme für alle Requests erstellt, die aus dem internen Docker-Netzwerk (`172.18.0.1/32`) stammen.
+
+#### Split-DNS
+Damit das funktioniert, muss Split-DNS entsprechend konfiguriert sein.
+Bei der Installation des CES kann dies in der setup.json unter `useInternalIp` bzw. `internalIp` konfiguriert werden. Siehe: https://docs.cloudogu.com/de/docs/system-components/ces-setup/operations/setup-json/#useinternalip
+
+Dabei wird dann ein entsprechender Eintrag in der `/etc/hosts` der CES-Instanz erzeugt.
+Um eine CES-Instanz nach der Installation für Split-DNS zu konfigurieren, muss für die interne IP ein entsprechender Eintrag in der `/etc/hosts` hinterlegt werden.
+Zum Beispiel:
+```
+<interne IP>  <DNS-Name>
+172.18.0.1    ces.example.com
+```
+
+Danach müssen alle Dogus einmal neugestartet werden.
+
+## Ein Client-Zertifikat erzeugen
+Folgende Schritte sind nötig um ein Client-Zertifikat zu erzeugen:
+
+1. User-Key generieren: `openssl genrsa -out client1.key 4096`
+2. Certificate Signing Request (CSR) generieren: `openssl req -new -key client1.key -out client1.csr -subj "/C=DE/O=MyOrg/OU=Clients/CN=client1"`
+3. Client extension file generieren:
+   ```bash
+     cat > client.ext <<'EOF'
+     basicConstraints = CA:FALSE
+     keyUsage = digitalSignature, keyEncipherment
+     extendedKeyUsage = clientAuth
+     subjectKeyIdentifier = hash
+     EOF
+   ```
+4. CSR signieren: `openssl x509 -req -in client1.csr -CA client-ca.crt -CAkey client-ca.key -CAcreateserial -out client1.crt -days 365 -sha256 -extfile client.ext`
+5. Client-Zertifikat exportieren: `openssl pkcs12 -export -inkey client1.key -in client1.crt -certfile client-ca.crt -name "client1" -out client1.p12`
+    > Hinweis: Beim Exportieren muss ein Passwort angegeben werden.
+
+Das exportierte Zertifikat kann nun im Browser importiert werden.

docs/dev/client-certificates_en.md

@@ -0,0 +1,83 @@
+# Mutual TLS with client certificates
+
+Nginx Dogu supports client authentication using certificates (Mutual TLS). When this feature is enabled,
+Nginx requests a certificate from the client during the TLS handshake and validates it against a stored
+Certificate Authority (CA).
+
+## Configuration
+
+The configuration is done via the Dogu configuration `mutual_tls/enabled`.
+
+> [!IMPORTANT]  
+> Split DNS must be configured for authentication with client certificates to work.
+> See [Split DNS](#split-dns)
+
+### 1. Store CA certificate
+
+In order for Nginx to validate the client certificates, the public certificate of the CA must be known globally in the CES.
+The CA certificate must be stored in PEM format in the global configuration:
+
+```bash
+cat client-ca.crt | etcdctl set /config/_global/certificate/client-ca.crt
+```
+
+> Note: A CA certificate can be generated as follows, for example:
+> 1. Generate key: `openssl genrsa -out client-ca.key 4096`
+> 2. Create certificate: ` openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 3650 -out client-ca.crt -subj "/C=DE/O=MyOrg/CN=MyOrg Client Root CA`
+
+
+### 2. Enable authentication
+
+Client authentication is disabled by default. It can be enabled via the Dogu config of nginx:
+
+```bash
+etcdctl set /config/nginx/mutual_tls/enabled true
+```
+
+After making this change, the Nginx Dogu must be restarted so that the CA certificate is loaded from the registry and the
+configuration is regenerated.
+
+## How it works
+
+Once `mutual_tls/enabled` is set to `true`:
+
+1. The `startup.sh` script extracts the CA certificate from the global registry to `/etc/ssl/client-ca.crt`.
+2. The `ssl.conf` activates the Nginx directives `ssl_client_certificate` and `ssl_verify_client on`.
+
+### Exception for internal Dogu requests
+To enable Dogus to send requests to other Dogus without a client certificate (e.g., to validate the CAS session),
+an exception is created in `nginx.conf` for all requests originating from the internal Docker network (`172.18.0.1/32`).
+
+#### Split DNS
+For this to work, split DNS must be configured accordingly.
+When installing the CES, this can be configured in setup.json under `useInternalIp` or `internalIp`. See: https://docs.cloudogu.com/de/docs/system-components/ces-setup/operations/setup-json/#useinternalip
+
+This creates a corresponding entry in the `/etc/hosts` of the CES instance.
+To configure a CES instance for split DNS after installation, a corresponding entry must be stored in `/etc/hosts` for the internal IP.
+For example:
+```
+<internal IP>  <DNS name>
+172.18.0.1    ces.example.com
+```
+
+After that, all Dogus must be restarted once.
+
+## Generate a client certificate
+The following steps are necessary to generate a client certificate:
+
+1. Generate user key: `openssl genrsa -out client1.key 4096`
+2. Generate a certificate signing request (CSR): `openssl req -new -key client1.key -out client1.csr -subj “/C=DE/O=MyOrg/OU=Clients/CN=client1”`
+3. Generate client extension file:
+```bash
+     cat > client.ext <<‘EOF’
+     basicConstraints = CA:FALSE
+     keyUsage = digitalSignature, keyEncipherment
+     extendedKeyUsage = clientAuth
+     subjectKeyIdentifier = hash
+     EOF
+   ```
+4. Sign CSR: `openssl x509 -req -in client1.csr -CA client-ca.crt -CAkey client-ca.key -CAcreateserial -out client1.crt -days 365 -sha256 -extfile client.ext`
+5. Export client certificate: `openssl pkcs12 -export -inkey client1.key -in client1.crt -certfile client-ca.crt -name “client1” -out client1.p12`
+   > Note: A password must be entered when exporting.
+
+The exported certificate can now be imported into the browser.

docs/gui/release_notes_de.md

@@ -6,6 +6,9 @@ Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https
 
 ## [Unreleased]
 
+## [v1.29.4-2] - 2026-01-19
+- Fügt Mutual-TLS-Zertifikatsunterstützung hinzu
+
 ## [v1.29.4-1] - 2025-12-16
 - Wir haben nur technische Änderungen vorgenommen. Näheres finden Sie in den Changelogs.
 

docs/gui/release_notes_en.md

@@ -6,6 +6,9 @@ Technical details on a release can be found in the corresponding [Changelog](htt
 
 ## [Unreleased]
 
+## [v1.29.4-2] - 2026-01-19
+- Adds support for Mutual TLS certificates
+
 ## [v1.29.4-1] - 2025-12-16
 - We have only made technical changes. You can find more details in the changelogs.
 

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/nginx",
-  "Version": "1.29.4-1",
+  "Version": "1.29.4-2",
   "DisplayName": "Nginx",
   "Description": "Nginx WebServer.",
   "Logo": "https://cloudogu.com/images/dogus/nginx.png",
@@ -120,6 +120,19 @@
       "Name": "buffer/proxy_busy_buffers_size",
       "Description": "When buffering of responses from the proxied server is enabled, limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. In the meantime, the rest of the buffers can be used for reading the response and, if needed, buffering part of the response to a temporary file. By default, size is limited by the size of two buffers set by the proxy_buffer_size and proxy_buffers directives. The default value is 8k/16k (depending on the platform). Format: '{buffer size}k' ",
       "Optional": true
+    },
+    {
+      "Name": "mutual_tls/enabled",
+      "Description": "Enables mutual TLS. If enabled, the certificate of the client must be provided in the request to the server. Format: 'true' or 'false'. Ensure the CA certificate used to sign client certificates is stored in the global configuration at 'certificate/client-ca.crt'",
+      "Default": "false",
+      "Validation": {
+        "Type": "ONE_OF",
+        "Values": [
+          "true",
+          "false"
+        ]
+      },
+      "Optional": true
     }
   ],
   "Volumes": [

resources/etc/ces-confd/templates/app.conf.tpl

@@ -28,6 +28,9 @@ server {
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Scheme $scheme;
 
+  proxy_set_header X-Client-S-DN $ssl_client_s_dn;
+  proxy_set_header X-Client-Verify $ssl_client_verify;
+
   # proxy keep alive settings
   # https://github.com/cloudogu/ecosystem/issues/298
   # https://stackoverflow.com/questions/28347184/upstream-timed-out-110-connection-timed-out-for-static-content

resources/etc/nginx/include.d/ssl.conf.tpl

@@ -12,3 +12,13 @@ ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256";
 ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
 ssl_prefer_server_ciphers on;
+
+{{- if eq (.Config.GetOrDefault "mutual_tls/enabled" "false") "true" -}}
+ssl_client_certificate /etc/ssl/client-ca.crt;
+ssl_verify_client optional;
+
+# check if access is allowed
+if ($access_allowed = 0) {
+  return 403;
+}
+{{- end -}}

resources/etc/nginx/nginx.conf.tpl

@@ -66,4 +66,28 @@ http {
 	# include app configuration
   include /etc/nginx/conf.d/*.conf;
   include {{ .Env.Get "APPCONF_VOL_DIR" }}/*.conf;
+
+  {{- if eq (.Config.GetOrDefault "mutual_tls/enabled" "false") "true" -}}
+    # mark internal requests coming from the docker network
+    geo $is_internal {
+      default 0;
+      172.18.0.1/32 1;
+      127.0.0.1/32  1;
+    }
+
+    # allow only all internal requests or external requests if mTLS was successful
+    map "$is_internal:$ssl_client_verify" $access_allowed {
+      default 0;
+
+      # internal always allowed
+      "1:NONE"    1;
+      "1:FAILED"  1;
+      "1:SUCCESS" 1;
+
+      # external only allowed, if mTLS was successful
+      "0:SUCCESS" 1;
+    }
+
+  {{- end -}}
+
 }