Skip to content

Running fleet telemetry behind a trusted proxy #171

Description

@bramp

I would like to run this software behind a HTTP proxy that would terminate the mTLS connections. Because the proxy terminates the connections, the fleet-telemetry server would not see the client cert. However, many proxies can forward the client certificate, or common name to the backend via HTTP headers, e.g SSL_CLIENT_CERT/SSL_CLIENT_S_DN for Apache.

Would you accept a patch, that adds a config to enable reading the cert, from the HTTP headers, instead of from the SSL connection? If so, I'd be happy to contribute. Reading from headers would be purely optional, and need to be enabled to avoid the security risk of letting clients providing unauthenticated certs.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions