caddyhttp: Placeholder for client cert in DER + base64 format

[musinit]

Fixes #3767

[mholt]

Thanks for the PR. I think it needs to be changed though, as it doesn't really make sense as-is.

[francislavoie]

It's not PEM if it's raw bytes base64 encoded; that's DER base64 encoded.

PEM is specifically DER base64 encoded then with ASCII armor added and newlines at every 64 chars.

[mholt]

Yeah these changes aren't quite what was suggested... try something like this instead.

[mholt]

Cool, does this serve the intended purpose @musinit @mc0239 @ramzec?

[mholt]

Someone with an actual need for this will need to verify it works and fulfills the need before this will get merged, otherwise we will have to close this for inactivity.

[mholt]

Closing due to inactivity. Can reopen if needed.

[cschmatzler]

Hey @mholt!

Not one of the people that originally wanted this, but stumbled upon it half an hour ago and can report that this change does indeed work and allows me to use Caddy in front of the Syncthing Discovery service with

tls {
    client_auth {
        mode require
    }
}

reverse_proxy /* syncthing-discovery:8443 {
    header_up X-Real-IP {http.request.remote.host}
    header_up X-Client-Port {http.request.remote.port}
    header_up X-SSL-Cert {http.request.tls.client.certificate_der_base64}
}

That said, I'd appreciate you reopening and merging this PR.

Thanks!

[francislavoie]

Interesting, thanks @cschmatzler, for ref, X-SSL-Cert is documented here: https://docs.syncthing.net/users/stdiscosrv.html#requirements

[francislavoie]

I went ahead and rebased the branch, fixing some merge conflicts.

@mholt I think this is ready to go 👍

[mholt]

As this has an actual (but niche) use case, I guess we can merge this. Thank you for verifying!

[aoxiangtianji]

This doesn't work on my machine.
I'm running a syncthing discovery server container and a caddy container as reverse proxy via podman rootless.
But the discovery server still reports no certificates.

This is my Caddyfile:

{
    debug
}

sync.example.com:10443 {
    tls {
        dns cloudflare ***
        client_auth {
            mode request
        }
    }

    reverse_proxy /* syncthing-discovery:8443 {
        header_up X-Forwarded-For {http.request.remote.host}
        header_up X-Client-Port {http.request.remote.port}
        header_up X-SSL-Cert {http.request.tls.client.certificate_der_base64}
    }
}

And the log of caddy:

{"level":"debug","ts":1659198997.878383,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"syncthing-discovery:8443","duration":0.004028418,"request":{"remote_ip":"10.89.1.15","remote_port":"55602","proto":"HTTP/1.1","method":"POST","host":"sync.aoxtj.cyou:10443","uri":"/","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["sync.aoxtj.cyou:10443"],"Content-Type":["application/json"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["10.89.1.15"],"X-Client-Port":["55602"],"X-Ssl-Cert":["MIICH********************37OvaXi2w=="],"User-Agent":["Go-http-client/1.1"],"Content-Length":["133"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"sync.aoxtj.cyou","client_common_name":"syncthing","client_serial":"6081856432655817123"}},"headers":{"Retry-After":["1500"],"X-Content-Type-Options":["nosniff"],"Date":["Sat, 30 Jul 2022 16:36:37 GMT"],"Content-Length":["10"],"Content-Type":["text/plain; charset=utf-8"]},"status":403}

Is there something wrong?

[francislavoie]

The headers look correct. It's not an issue with Caddy, you'll need to figure out why your upstream app doesn't accept it.

[Rirmach]

@aoxiangtianji Just change

header_up X-SSL-Cert {http.request.tls.client.certificate_der_base64}

to

header_up X-Tls-Client-Cert-Der-Base64 {http.request.tls.client.certificate_der_base64}

They fixed this but do not update the document, remember to build using the latest commit.