Mutual TLS through a Reverse Proxy

Image by Willi Heidelbach from Pixabay

I created a sample mTLS application to test the configuration of the reverse proxies (namely HAProxy and Traefik) for routing the traffic based on the SNI hostname.

The sample app

A toy program that performs the validation of the client’s certificate.

func greet(w http.ResponseWriter, r *http.Request) {
 fmt.Fprintf(w, "App:%s Hello World! %s", os.Getenv("APP_NAME"), time.Now())
}
func main() {
 http.HandleFunc("/", greet)
 caCertPool := x509.NewCertPool()
 caCertPool.AppendCertsFromPEM(try.E1(os.ReadFile("certs/myca.pem")))
 tlsConfig := &tls.Config{
  ClientCAs:  caCertPool,
  ClientAuth: tls.RequireAndVerifyClientCert,
 }
 port := os.Getenv("APP_PORT")
 if port == "" {
  port = "1443"
 }
 server := &http.Server{
  Addr:      ":" + port,
  TLSConfig: tlsConfig,
 }
 log.Fatal(server.ListenAndServeTLS("certs/mtls-server.pem", "certs/mtls-server-key.pem"))
}

We create our own CA first, create a server cert and sign it with the CA. The SAN name list for the server cert is set as mtls-server, *.apps.test-bed.ibmcloud.io.cpak

Create the client cert and sign with the same CA.