I would like to run this software behind a HTTP proxy that would terminate the mTLS connections. Because the proxy terminates the connections, the fleet-telemetry server would not see the client cert. However, many proxies can forward the client certificate, or common name to the backend via HTTP headers, e.g SSL_CLIENT_CERT/SSL_CLIENT_S_DN for Apache.
Would you accept a patch, that adds a config to enable reading the cert, from the HTTP headers, instead of from the SSL connection? If so, I'd be happy to contribute. Reading from headers would be purely optional, and need to be enabled to avoid the security risk of letting clients providing unauthenticated certs.
I would like to run this software behind a HTTP proxy that would terminate the mTLS connections. Because the proxy terminates the connections, the fleet-telemetry server would not see the client cert. However, many proxies can forward the client certificate, or common name to the backend via HTTP headers, e.g SSL_CLIENT_CERT/SSL_CLIENT_S_DN for Apache.
Would you accept a patch, that adds a config to enable reading the cert, from the HTTP headers, instead of from the SSL connection? If so, I'd be happy to contribute. Reading from headers would be purely optional, and need to be enabled to avoid the security risk of letting clients providing unauthenticated certs.