app icon indicating copy to clipboard operation
app copied to clipboard
verified publisher icon evcc-io

Authentication to webserver with client certificate would be great

Open christian-redhat-test opened this issue 10 months ago • 5 comments

cannot access evcc hosted behind reverse proxy with authentication via client certificate instead of user and password

Tested on android 14

christian-redhat-test avatar Feb 27 '25 20:02 christian-redhat-test

via client certificate instead of user and password

@christian-redhat-test can you provide more details? What's your configuration. What solution would you prefer?

naltatis avatar Feb 28 '25 09:02 naltatis

Hey,

I would need this feature too. Since I'm running evcc behind a reverse proxy that is checking client certificates before providing access to my applications.

That's why I need to tell the evcc app to use the client certificate installed on my smartphone.

If you need further information, just ping me. I can even answer in German if this is your preferred language.

marcelGoerentz avatar Mar 08 '25 09:03 marcelGoerentz

One more thing, I think it should be possible to use both, the user password authentication as well as the client certificate authentication.

Also the client certificate can only be used in a TLS/SSL connection.

marcelGoerentz avatar Mar 08 '25 09:03 marcelGoerentz

Sorry for my late answer,

I am running a publicly accessible Webserver as a reverse proxy vor some other web apps on my local network. In my case the webserver is a Apache httpd where a <VirtualHost> is protected using some SSLRequire directives which requires the Browser to pass a macthing client certificate to the proxy. then the apache uses the ProxyPass an ProxyPassReverse directives to pass all traffic to the destination

Here is an example of an config section for Apache httpd, but should be similar or even simplier with nginx or traefik

<VirtualHost *:8443> # Das ist der Name des vHosts welcher gleich der Domain oder Subdomain sein sollte Servername evcc.some.domain

<Location "/">
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 256 \
           and %{SSL_CLIENT_S_DN_L} eq "MyLocation" \
           and %{SSL_CLIENT_S_DN_ST} eq "MyState" \
           and %{SSL_CLIENT_S_DN_C} eq "DE" \
           and %{SSL_CLIENT_S_DN_O} eq "my Org" \
           and %{SSL_CLIENT_I_DN_CN} eq "my RootCA" \
           ...
           and %{SSL_CLIENT_I_DN_C} eq "DE"

    ErrorDocument 403 "<h1>system</h1> <p >Error: You need a valid client side certificate registered on this host to access this site!</p>"

    # Die Rewrites sorgen dafuer, das die Container mit websockets laufen
    # Module mod_proxy_wstunnel ist notwendig
    RewriteEngine on

    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* ws://192.168.1.7:7070%{REQUEST_URI} [P]
    ProxyPass         http://192.168.1.7:7070/
    ProxyPassReverse  http://192.168.1.7:7070/

</Location>

christian-redhat-test avatar Mar 08 '25 21:03 christian-redhat-test

This would be great for me too. Running mTLS authentication using nginx reverse proxy in front of evcc. I am currently using it with a Chromium based browser, which supports mTLS authentication when you install the client cert to the Android cert store. Support within the app for this would be amazing!

It's also much more secure than user:pass authentication, since an attacker doesn't even see evcc if they have no certificate. Exposing even the login form to the public internet is already a small security issue.

lpcvoid avatar Jul 05 '25 09:07 lpcvoid