Closed srikiraju closed 1 week ago
htuch
commented
6 years ago @srikiraju this seems reasonable; we did have SSL attributes in mind when considering this feature originally. Are you planning on working on this or should we leave this as "help wanted"?
arianmotamedi
commented
6 years ago @htuch Is there any update on this? Is this something that's on Envoy's roadmap? This can be an extremely useful feature :)
ggreenway
commented
6 years ago Is this issue covered by https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#x-forwarded-client-cert, or is this requesting something different?
arianmotamedi
commented
6 years ago My request was more around providing a way to do ACL based on client certificate information directly in Envoy. It does look like you can do public key pinning using the verify_certificate_spki config to grant/deny access, which is what I was looking for :)
github-actions[bot]
commented
2 weeks ago This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
github-actions[bot]
commented
1 week ago This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
Description: https://github.com/envoyproxy/envoy/pull/1131 already includes a framework to support dynamic request headers in the HTTP connection manager. We should extend this capability to support SSL_CERT from the originating client.
This can be useful to pull CommonName and other fields to provide built in ACL like features in services against TLS certs
Relevant Links: nginx for example has the $ssl_client_cert var to do something like this