diff --git a/src/docs/markdown/caddyfile/directives/tls.md b/src/docs/markdown/caddyfile/directives/tls.md index 48af9e4..02f8e35 100644 --- a/src/docs/markdown/caddyfile/directives/tls.md +++ b/src/docs/markdown/caddyfile/directives/tls.md @@ -24,6 +24,13 @@ tls [internal|] | [ ] { ca_root dns [] on_demand + clients { + mode [request|require|verify_if_given|require_and_verify] + trusted_ca_certs + trusted_ca_certs_file + trusted_leaf_certs + trusted_leaf_certs_file + } } ``` @@ -62,7 +69,33 @@ tls [internal|] | [ ] { - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store. - **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details. Maintaining support for each DNS provider is a community effort. [Learn how to enable the DNS challenge for your provider at our wiki.](https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148) - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es). +- **clients** enables and configures TLS client authentication. +The `clients` block can look like this: + +```caddy-d +clients { + mode [request|require|verify_if_given|require_and_verify] + trusted_ca_certs + trusted_ca_certs_file + trusted_leaf_certs + trusted_leaf_certs_file +} +``` + +- **trusted_ca_certs** is a list of base64 DER-encoded CA certificates against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected. +- **trusted_ca_certs_file** is a list of base64 DER-encoded CA certificate files against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected. +- **trusted_leaf_certs** is a list of base64 DER-encoded client leaf certs to accept. If this list is not empty, client certs which are not in this list will be rejected +- **trusted_leaf_certs_file** is a list of base64 DER-encoded CA certificate files against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected. +- **mode** is the mode for authenticating the client. Allowed values are: + | Mode | Description | + |--------------------|------------------------------------------------------------------------------------------| + | request | Ask clients for a certificate, but allow even if there isn't one; do not verify it | + | require | Require clients to present a certificate, but do not verify it | + | verify_if_given | Ask clients for a certificate; allow even if there isn't one, but verify it if there is | + | require_and_verify | Require clients to present a valid certificate that is verified | + + The default mode is `require_and_verify` if any TrustedCACerts or TrustedLeafCerts are provided; otherwise, the default mode is `require` ## Examples @@ -99,4 +132,15 @@ Enable the DNS challenge for a domain managed on Cloudflare with account credent tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} } -``` \ No newline at end of file +``` + +Enable TLS Client Authentication + +```caddy-d +tls { + clients { + mode require_and_verify + trusted_ca_certs_file cacerts.crt + } +} +```