Skip to content

[Security] Add caddy server configuration for Client Authentication (X509) #18151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2023
Merged

[Security] Add caddy server configuration for Client Authentication (X509) #18151

merged 1 commit into from
Apr 3, 2023

Conversation

Spomky
Copy link
Contributor

@Spomky Spomky commented Mar 31, 2023
edited
Loading

This PR adds a block to show how to configure Caddy Server.
Please note that this only works with SF6.3 (linked to #17582)

@carsonbot carsonbot added this to the 6.3 milestone Mar 31, 2023
@Spomky
Copy link
Contributor Author

Spomky commented Mar 31, 2023

Build errors from "2023-03-31 08:18:34"
Error while processing "code-block" directive: "Unsupported code block
language "caddy". Added it in
SymfonyDocsBuilder\Renderers\CodeNodeRenderer" in file "security"

How can I create a block definition for Caddy? Is it possible from this repository?

OskarStark
OskarStark reviewed Mar 31, 2023
View reviewed changes
@Spomky
Copy link
Contributor Author

Spomky commented Apr 2, 2023

Ping @francislavoie just in case of.

@francislavoie
Copy link

Seems fine to me. Is the subject the only field someone might care about? Wouldn't they want the fingerprint and/or the full client cert as well potentially?

Might want to point to Caddy's docs where it documents the placeholders for the client cert. Also FYI there's these Caddyfile placeholder shortcuts that can be used to shorten the config https://caddyserver.com/docs/caddyfile/concepts#placeholders

@Spomky
Copy link
Contributor Author

Spomky commented Apr 2, 2023

Actually, in one of my project, I also use the fingerprint and other data you mentioned

  env SSL_CLIENT_S_FINGERPRINT {http.request.tls.client.fingerprint}
  env SSL_CLIENT_S_CERTIFICATE {http.request.tls.client.certificate_der_base64}
  env SSL_CLIENT_S_ISSUER {http.request.tls.client.issuer}
  env SSL_CLIENT_S_SERIAL {http.request.tls.client.serial}
  env SSL_CLIENT_S_DN {http.request.tls.client.subject}

But those additional ones are not required nor understood by the authenticator, that is why I did not add them in the documentation page.

@francislavoie
Copy link

Might be worth mentioning it in case the user may need those additional fields for manual validation? You could put # comments on that chunk to say they're not used by Symfony 🤷‍♂️

@Spomky
Copy link
Contributor Author

Spomky commented Apr 2, 2023

Indeed you are right.
I updated the PR and added all other relevant env vars that could be used.

@Spomky Spomky force-pushed the x509-caddy branch 2 times, most recently from 1ec8589 to 951a372 Compare April 2, 2023 18:15
@francislavoie
Copy link

You could also switch to the short form as per my link. There's no downside to it.

@Spomky
Copy link
Contributor Author

Spomky commented Apr 2, 2023

Many thanks 👌🏼. Done!

@javiereguiluz javiereguiluz merged commit 1cf6a6c into symfony:6.3 Apr 3, 2023
@javiereguiluz
Copy link
Member

Thanks Florent! This is now merged.

@javiereguiluz javiereguiluz mentioned this pull request Apr 3, 2023
Merged
@javiereguiluz
Copy link
Member

The missing caddy config format is being added in symfony-tools/docs-builder#153

@Spomky Spomky deleted the x509-caddy branch April 3, 2023 11:29
javiereguiluz added a commit to symfony-tools/docs-builder that referenced this pull request Apr 3, 2023
@javiereguiluz
minor #153 Add Caddy server config files to the list of known formats…
b421d2f 
… (javiereguiluz)

This PR was merged into the main branch.

Discussion
----------

Add Caddy server config files to the list of known formats

Here: symfony/symfony-docs#18151 we've merged a PR that uses `caddy` as a config format name. So, let's add support for it.

Commits
-------

ee62e63 Add Caddy server config files to the list of known formats
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OskarStark OskarStark OskarStark left review comments

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.
5 participants
@Spomky @francislavoie @javiereguiluz @OskarStark @carsonbot