From a74bfe461f3539551469da1760a03fe9918f3b64 Mon Sep 17 00:00:00 2001 From: Daniel Santos Date: Mon, 8 Jun 2020 16:59:16 -0600 Subject: [PATCH] doc(tls): Add the tls.client_auth Caddyfile directive doc --- src/docs/markdown/caddyfile/directives/tls.md | 46 ++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/docs/markdown/caddyfile/directives/tls.md b/src/docs/markdown/caddyfile/directives/tls.md index 48af9e4..5f4937f 100644 --- a/src/docs/markdown/caddyfile/directives/tls.md +++ b/src/docs/markdown/caddyfile/directives/tls.md @@ -24,6 +24,13 @@ tls [internal|] | [ ] { ca_root dns [] on_demand + client_auth { + mode [request|require|verify_if_given|require_and_verify] + trusted_ca_cert + trusted_ca_cert_file + trusted_leaf_cert + trusted_leaf_cert_file + } } ``` @@ -62,8 +69,34 @@ tls [internal|] | [ ] { - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store. - **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details. Maintaining support for each DNS provider is a community effort. [Learn how to enable the DNS challenge for your provider at our wiki.](https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148) - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es). +- **client_auth** enables and configures TLS client authentication. +The `client_auth` block can look like this: + +```caddy-d +client_auth { + mode [request|require|verify_if_given|require_and_verify] + trusted_ca_cert + trusted_ca_cert_file + trusted_leaf_cert + trusted_leaf_cert_file +} +``` + +- **trusted_ca_cert** is a base64 DER-encoded CA certificate against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected. +- **trusted_ca_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected. +- **trusted_leaf_cert** is a base64 DER-encoded client leaf certificate to accept. Client certificates which are not signed by any of these CAs will be rejected. +- **trusted_leaf_cert_file** is a base64 DER-encoded CA certificate file against which to validate client certificates. Client certificates which are not signed by any of these CAs will be rejected. +- **mode** is the mode for authenticating the client. Allowed values are: + | Mode | Description | + |--------------------|------------------------------------------------------------------------------------------| + | request | Ask clients for a certificate, but allow even if there isn't one; do not verify it | + | require | Require clients to present a certificate, but do not verify it | + | verify_if_given | Ask clients for a certificate; allow even if there isn't one, but verify it if there is | + | require_and_verify | Require clients to present a valid certificate that is verified | + + The default mode is `require_and_verify` if any `trusted_ca_cert` or `trusted_leaf_cert` are provided; otherwise, the default mode is `require` ## Examples @@ -99,4 +132,15 @@ Enable the DNS challenge for a domain managed on Cloudflare with account credent tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} } -``` \ No newline at end of file +``` + +Enable TLS Client Authentication + +```caddy-d +tls { + client_auth { + mode require_and_verify + trusted_ca_cert_file ../caddy.ca.cer + } +} +```