plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

www/caddy: Add client certificate authentication for domains and subdomains

Open bob4os opened this issue 1 year ago • 6 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. I would like to use client certificates for authentication on certain domains.

Describe the solution you'd like A dropdown for choosing the client authentication mode and another dropdown for choosing one or more certificate authorities provided by OPNsense (https://caddyserver.com/docs/caddyfile/directives/tls#client_auth). Probably placed in the Trust or Access part in domains or subdomains?

Describe alternatives you've considered Using NGINX but I like the simplicity of caddy.

Additional context Adding the (non-standard) verifier module for revoked certificates would be the icing on the cake but a lot of extra work...?

bob4os avatar Jul 12 '24 09:07 bob4os

@Monviech Would you be willing to help me out with this request?

bob4os avatar Jul 12 '24 09:07 bob4os

I'm not sure.

There's already:

  • Access Lists
  • Basic Auth
  • Forward Auth

So already 3 ways to control access. Is a 4th method really needed?

Client Certificate Authentication seems more like a business related feature for me.

The os-OPNWAF has client certificate authentication built in and also supplies automatic Let's Encrypt certificates: https://docs.opnsense.org/vendor/deciso/opnwaf.html#protect-a-local-server-with-certificates

EDIT: Of course - PRs are welcome.

Monviech avatar Jul 12 '24 10:07 Monviech

Well it probably is a business feature but it is also available in HAProxy and NGINX. The OPNWAF plugin is based on Apache as far as I can see, I have never warmed up to it.

I wanted to benefit from automatic certificates without the need for the ACME plugin (nothing wrong with it), probably even OCSP for client certificates, HTTP3...

I will give it a try.

bob4os avatar Jul 12 '24 12:07 bob4os

If you want to give it a try, the backend scripts already take care of the certificate extraction.

You would only need to add things to the model, form controller, reverse_proxy view and the Caddyfile template.

Shouldn't be too hard if you keep the scope of it simple. All the certificate logic has already been implemented at multiple points so its probably just some copy pasting.

The hardest part is the template. The authentication methods like basic auth and access lists kaskade into each other with uuid handles. Its that multiple authentication methods can coexist at the same time in a specific order. Thats the most conplex part to get right.

Monviech avatar Jul 12 '24 13:07 Monviech

I did a bit of research last week, but didn't have time this week. But it does seem managable, yes.

Do you have a preference as were to put the ui elements? In the Caddyfile it is placed in the tls directive, so I would place it in the Trust collapsible.

bob4os avatar Jul 12 '24 13:07 bob4os

Since its more of an access control feature I would put it under Access in domains and subdomains. In Trust it might confuse people.

Thanks for giving it a try :)

Monviech avatar Jul 12 '24 13:07 Monviech