Add mTLS client attributes to matching/routing

[dekimsey]

The http app exposes a number of placeholders that'd be equally valuable for the L4 side (http.request.tls.*). Right now matching only works for sni, alpn, and remote_ip.

Use-case: I'd like to be able to have an mTLS stripping proxy that can also validate the client's certificate has a given SAN in addition to being validly signed by the CA. Right now, that doesn't appear possible.

(Apologies if I have screwed up the nomenclature here, I'm a bit new to Caddy)

[mholt]

Yeah, we can do that. This is pretty easy to do. You're looking for basically this code:

https://github.com/caddyserver/caddy/blob/2642bd72b7ca35b8622824fdffced2aefe1aaf11/modules/caddyhttp/replacer.go#L286-L379

But for layer4. The Connections all have a Replacer, similar to the http app:

https://github.com/mholt/caddy-l4/blob/aec6535658b117e6283cc2bdaa80d17462fd2eef/layer4/connection.go#L32-L46

So if you're matching on TLS attributes (as opposed to terminating TLS) then maybe somewhere around here:

https://github.com/mholt/caddy-l4/blob/aec6535658b117e6283cc2bdaa80d17462fd2eef/modules/l4tls/matcher.go#L101-L103

I'm a little too busy to take this on right now but it shouldn't be too difficult if someone would like to contribute!

[dekimsey]

Thanks for the pointers @mholt, I'll give this a try.

[stronny]

I need this as well, in case priority depends on user input. Would also be helpful if Caddy could parse certificate subject into fields, kind of like it does HTTP query.