This plugin authorizes requests based on the SAN DNS names of a TLS client certificate.
If the client does not present a certificate or does present a certificate which according to
configuration is not allowed to continue, 403 Forbidden
is returned.
CAUTION: This plugin does not validate the certificate it receives. Please use the traefik mTLS configuration to also validate the certificate against a CA that you specify.
experimental:plugins:certauthz:moduleName: "github.com/famedly/traefik-certauthz"version: "v0.1.0"
http:middlewares:my-certauthz:plugin:certauthz:domains:- "example.org"- "*.example.net"routers:my-router:middlewares:- "my-certauthz"tls:# Traefik mtls configuration is required for certificate validation# https://doc.traefik.io/traefik/https/tls/#client-authentication-mtlsoptions: my-mtlsentrypoints: […]rule: …service: …tls:options:my-mtls:clientAuth:caFiles:- /etc/ssl/certs/ca-certificates.crtclientAuthType: RequireAndVerifyClientCert
Instead of providing a list of domains you can also specify a regex to match against. This is not recommended.
http:middlewares:my-certauthz:plugin:certauthz:regex: "^example\.org$"
If you forget to use ^
and $
an attacker would be able to pass with
a certificate with SAN DNS:example.org.badactor.com
.
The .
character should also be escaped.