Open srikiraju opened 6 years ago
@srikiraju this seems reasonable; we did have SSL attributes in mind when considering this feature originally. Are you planning on working on this or should we leave this as "help wanted"?
@htuch Is there any update on this? Is this something that's on Envoy's roadmap? This can be an extremely useful feature :)
Is this issue covered by https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#x-forwarded-client-cert, or is this requesting something different?
My request was more around providing a way to do ACL based on client certificate information directly in Envoy. It does look like you can do public key pinning using the verify_certificate_spki
config to grant/deny access, which is what I was looking for :)
Description: https://github.com/envoyproxy/envoy/pull/1131 already includes a framework to support dynamic request headers in the HTTP connection manager. We should extend this capability to support SSL_CERT from the originating client.
This can be useful to pull CommonName and other fields to provide built in ACL like features in services against TLS certs
Relevant Links: nginx for example has the $ssl_client_cert var to do something like this