Equanox
commented
4 years ago AFAIK this is not part of themis and must be done before the requests hits themis. You can use a reverse-proxy like traefik or nginx for this.
Closed qthuy closed 4 years ago
Equanox
commented
4 years ago AFAIK this is not part of themis and must be done before the requests hits themis. You can use a reverse-proxy like traefik or nginx for this.
qthuy
commented
4 years ago If mTLS is provided by another service like nginx/traefik, we can close this issue as resolve.
johnabass
commented
4 years ago Themis supports mTLS the same as any another golang server. You just need to configure the the relevant fields in crypto/tls.Config.
See: https://pkg.go.dev/crypto/tls?tab=doc#Config
In themis, you can set this via the configuration file:
servers:
issuer:
clientCACertificateFile: <path to certificate file or bundle>When themis's bootstrap code sees that field set, it automatically sets crypto/tls.Config.ClientAuth and crypto/tls.Config.ClientCAs appropriately.
qthuy
commented
4 years ago Ok, thank you for the info. Will give it a try.
Equanox
commented
4 years ago Thx, for clarification. Didn't know about it.
visrey
commented
3 years ago There is some serious information that is missing you need to provide one more level of config which is missing. I will post the update if someone bumped their head and looking for a solution.
Looking through the documentation, it is not clear how user enable and configure mTLS on themis. For example, how do I specify the CA/server certs and keys?